Re: IIS 5.0 NT Authentication
From: Chris Adams \(IIS\) (chrisad-msft_at_microsoft.com)
Date: 07/01/03
- Next message: Keith W. McCammon: "Re: Programmatic support to Certificate Services"
- Previous message: Chris Adams \(IIS\): "Re: How to Change Password when Expiry"
- In reply to: Ken Schaefer: "Re: IIS 5.0 NT Authentication"
- Next in thread: Stephen L Nicoud: "Re: IIS 5.0 NT Authentication"
- Reply: Stephen L Nicoud: "Re: IIS 5.0 NT Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 1 Jul 2003 12:58:57 -0700
Hey ~
If IE detects a period, then it will forward to the internet believing that
it is on the internet...If you don't want this, I suggest adding any dotted
domain names to the trusted or intranet zones...
However, keep in mind that NTLM (or integrated) is not supported nor
guarantee'd to work over the internet. You are suggested to use Basic with
HTTPS ...
264921 INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/?id=264921
See -
Windows NT Challenge/Response - The server requests the user to log on. If
the browser supports Windows NT Challenge/Response, it automatically sends
the user's credentials if the user is logged on. If the domain that the user
is on is different than the server's domain, or if the user is not logged
on, a dialog box appears requesting the credentials to send. Windows NT
Challenge/Response uses an algorithm to generate a hash based on the user's
credentials and the computer that the user is using. It then sends this
hash to the server. The browser does not send the user's password across to
the server.
- Browsers Supported: Internet Explorer versions 3.01 and later
- Limitations: Requires point-to-point connection. Usually, a circuit
is closed after a "401 unauthorized " error message; however, when
negotiating a Windows NT Challenge/Response authentication sequence
(which requires multiple round trips), the server keeps the circuit
open for the duration of the sequence after the client has indicated
that it will use Windows NT Challenge/Response. CERN proxies and
certain other Internet devices prevent this from working. Also, Windows
NT Challenge/Response does not support double-hop impersonations (in
that once passed to the IIS server, the same credentials cannot be
passed to a back-end server for authentication).
- User Rights Required: The user account that is accessing the server
must have "Access this computer from the network" permissions.
- Encryption Type: NTLM Hash algorithm that is also uuencoded.
<Orders of Precedence:>
When the browser makes a request, it always considers the first request to
be Anonymous. Therefore, it does not send any credentials. If the server
does not accept Anonymous OR if the Anonymous user account set on the server
does not have permissions to the file being requested, the IIS server
responds with an "Access Denied" error message and sends a list of the
authentication types that are supported by using one of the following
scenarios:
- If Windows NT Challenge/Response is the only supported method (or if
Anonymous fails), then the browser must support this method to
communicate with the server. Otherwise, it cannot negotiate with the
server and the user receives an "Access Denied" error message.
- If Basic is the only supported method (or if Anonymous fails), then a
dialog box appears in the browser to get the credentials, and then
passes these credentials to the server. It attempts to send these
credentials up to three times. If these all fail, the browser is not
connected to the server.
- If both Basic and Windows NT Challenge/Response are supported, the
browser determines which method is used. If the browser supports
Windows NT Challenge/Response, it uses this method and does not fall
back to Basic. If Windows NT Challenge/Response is not supported, the
browser uses Basic.
HTH,
-- ~Chris (MSFT) IIS Supportability Lead "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:ufWIqX3PDHA.2768@tk2msftngp13.phx.gbl... > Probably because of their IE settings. > > Check in their security settings, for the different zones, and I suspect > that you'll find that "Automatic Logon" is configured only for (a) the > Intranet Zone and (b) the Trusted Sites zone. > > http://intranet is in the "intranet zone" because it isn't a FQDN > http://intranet.myCompany.local is also probably in the "intranet zone" > because it uses your Active Directory domain name > http://intranet.myCompany.com is a public FQDN, and IE has no way of knowing > where this site is, so it doesn't attempt to logon automatically (ie it > doesn't send out username/password automatically). This is a good security > measure, otherwise sites could harvest username/passwords easily by luring > unsuspecting users, and then asking for authentication. > > Perhaps you could add: http://intranet.abc.com/ to the user's trusted sites > zone. > > I don't think this has anything to do with IIS per se. > > Cheers > Ken > > "Michael Steiner" <msteiner@heritagegolf.com> wrote in message > news:2abb01c33f4d$e844a3b0$a401280a@phx.gbl... > : All, > : > : Have a new Intranet server sitting on a windows 2000 > : server running IIS 5.0. When a user types http:\\intranet > : or just iintranet in their browser it takes them right to > : the intranet. However if they type > : http:\\intranet.abc.com which is the name of the internal > : FQDN they get challenged for their network credentials. > : > : Any thoughts? > >
- Next message: Keith W. McCammon: "Re: Programmatic support to Certificate Services"
- Previous message: Chris Adams \(IIS\): "Re: How to Change Password when Expiry"
- In reply to: Ken Schaefer: "Re: IIS 5.0 NT Authentication"
- Next in thread: Stephen L Nicoud: "Re: IIS 5.0 NT Authentication"
- Reply: Stephen L Nicoud: "Re: IIS 5.0 NT Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
