Re: [Windows 2003] [IIS 6] A strange access problem
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 09/12/03
- Next message: David Wang [Msft]: "Re: IIS 5.0-6.0 Virtual Directory Permissions Issue"
- Previous message: Dean [ms]: "Re: Enable WebDav in IIS 6?"
- In reply to: Massimo: "Re: [Windows 2003] [IIS 6] A strange access problem"
- Next in thread: Massimo: "Re: [Windows 2003] [IIS 6] A strange access problem"
- Reply: Massimo: "Re: [Windows 2003] [IIS 6] A strange access problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Sep 2003 12:02:57 -0700
Let me clear up your misconceptions about authentication...
Authentication is something that is MUTUALLY NEGOTIATED between the client
and the server. The user only gets to configure the authentication types
(anonymous/basic/Integrated/etc) that the server will negotiate with.
Likewise, the client can be configured to auto-negotiate or not, based on
configuration (IE does this with Zones).
So, there is no "fallback" authentication upon failure. It is all in the
negotiation between the client an the server, and it's all defined by user
configuration. It would be a security risk for the server/client to
automatically fallback and not allow the user to configure when/how.
Now that you understand that authentication is a process of mutual
negotiation between the client browser and the server, let's look at the
details:
- Integrated Authentication is actually a selection of several protocols.
For a stand-alone server, this means NTLM by default. For a server in a
domain, IIS favors Kerberos, though NTLM is a configurable default as well.
Kerberos is not possible for stand-alone server since it needs Active
Directory.
- NTLM does not work well in an Internet environment because it is a
connection based protocol. If there is a proxy in between the client and
the server, it can disrupt NTLM. You cannot control whether there is a
proxy because you cannot control whether the client comes from a proxy or
not. Thus, in general, this is hit-or-miss. In an Intranet scenario, NTLM
works well.
- Kerberos is ticket-based authentication that doesn't have the connection
restrictions, though it needs port access to a KDC to obtain its tickets.
- Basic auth is simplest because it is base64 encoding of
"username:password" sent with the request. Hence it needs to be encrypted
with SSL to be safe.
I've already explained that IE configures auto-logon based on Zone, and Zone
determination is affected by the presence of dots in the URL.
What I think you should do is:
1. If your server can use Kerberos, do that. This requires the server to be
in a domain and access to an Active Directory
2. If #1 is not possible, try Basic over SSL.
If you are interested in more debugging -- get a Network sniffer hooked up
(Windows Server 2003 comes with one, Network Monitor, that you can install
from Add/Remove Windows Components) and sniff the entire request/response
transaction between your client and the server in your failing case, post
it. The sniff will tell everything about what's causing your access-denied
dialogs without any more speculation.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Massimo" <barone@mclink.it> wrote in message news:%23NiPvvPeDHA.956@TK2MSFTNGP09.phx.gbl... "David Wang [Msft]" <someone@online.microsoft.com> ha scritto nel messaggio news:%23awE%23dPeDHA.1680@TK2MSFTNGP09.phx.gbl... > If you are trying to use Integrated authentication and it's over the > Internet, there is a probability it won't work. Ok, but shouldn't IIS resort to standard authentication, once integrated failed ? > Do you know if you are using Basic, NTLM, or Kerberos authentication. If > you don't know... you should, and you should configure it that way. There is also another strange behaviour; in the IIS console, I configured the websites to use mydomain.com as the default authentication domain, so I only have to specify the username and password in the client (OWA also was pre-configured this way). But when I'm accessing them with FQDN or IP, the logon dialog says it's accessing "frontend.mydomain.com", and after the first failed logon attempt, it shows the username as frontend.mydomain.com\username, instead of mydomain.com\username. I hope this can help you finding out what's happening... > Also, as Bernard points out, IE has different authentication behavior > between Intranet sites (sitenames without dots) and Internet sites > (sitenames with at least one dot). Once again, that would be a > client-configuration issue. But I need to access these websites from the Internet, too... and they show the same behaviour when accessing them with FQDN or IP from an Internet connection. Massimo
- Next message: David Wang [Msft]: "Re: IIS 5.0-6.0 Virtual Directory Permissions Issue"
- Previous message: Dean [ms]: "Re: Enable WebDav in IIS 6?"
- In reply to: Massimo: "Re: [Windows 2003] [IIS 6] A strange access problem"
- Next in thread: Massimo: "Re: [Windows 2003] [IIS 6] A strange access problem"
- Reply: Massimo: "Re: [Windows 2003] [IIS 6] A strange access problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
