IIS6 - Integrated Authentication Probs

From: JayDee (darius_falt_at_hotmail.com)
Date: 10/23/03


Date: Thu, 23 Oct 2003 11:12:26 +0100

I originally posted this in IIS group,
but I thought I'd try here,

I'm really stuck getting integrated authentication to work accross a web
server to a UNC share on another server

If anyone feels so inclined, Id really appreciate any help on offer.

Heres the problem

It seems that when I use "integrated authentication" that the credentials
parsed from my browser to the web server are not being used correctly by the
webserver to authenticate me on the target resource: The target resource -
as I mentioned - is located on another machine.

How do I know this?

a) - I can see in the log files that the correct credentials are being
parsed from my browser to the webserver.
b) - Despite the fact these credentials are being parsed, i'm still being
asked to present credentials by way of the browser 'Username and Password'
dialogue box.
c) - Even if I manually present valid credentails at this dialogue box, I'm
still not able to authenticate to the target resource. After 3 attempts at
entering info into the Dialogue, I get the same 401.3 Error - "Unauthorized:
Access is denied due to an ACL set on the requested resource"

Hence - this is a general problem with the way the web server is using my
credentials to authenticate with the target resource.

If I change the Authentication method from "Integrated" to "Basic", I am
always prompted for credentials, this is expected.
This time, if I enter valid credentials, then the Web Server give me access
to the resource I need.

So the problem here seems to be in how the IIS6 Web Server parses my
credentials for authentication on the target resource, but ONLY when its
handling it via INTEGRATED AUTHENTICATION

I thought that it might be something to do with NTLM versus Kerberos,
but this just adds to my confustion as in my test instance everything should
be working with Kerberos,

Heres the setup.

Its a W2K3 native mode domain,
with a W2K3 Web Server and IIS 6.
The client machine is WinXP Pro SP1a
The user and computer accounts are both members of this W2K3 Domain,

I'm trying to digest the info I've found in the arcticle 332142,
I'll also try manually setting the authentication method by adapting the
IIS5 procedure given in 215383,

Bu I'm completely in the dark here. I could reall really use some MS help on
this.

Anyone out there?

thanks people - I really appreciate your time.



Relevant Pages

  • Re: Cached Logon
    ... > current credentials and only after failing would prompt for credentials. ... Keep in mind that whether the IE browser will supply the Windows ... the scenes" windows authentication information? ... > On the server I was logged in as domain1\administrator. ...
    (microsoft.public.windows.server.general)
  • Re: Cached Logon
    ... > current credentials and only after failing would prompt for credentials. ... Keep in mind that whether the IE browser will supply the Windows ... the scenes" windows authentication information? ... > On the server I was logged in as domain1\administrator. ...
    (microsoft.public.sqlserver.connect)
  • Re: Cached Logon
    ... > current credentials and only after failing would prompt for credentials. ... Keep in mind that whether the IE browser will supply the Windows ... the scenes" windows authentication information? ... > On the server I was logged in as domain1\administrator. ...
    (microsoft.public.sqlserver.server)
  • Re: Cached Logon
    ... > current credentials and only after failing would prompt for credentials. ... Keep in mind that whether the IE browser will supply the Windows ... the scenes" windows authentication information? ... > On the server I was logged in as domain1\administrator. ...
    (microsoft.public.win2000.networking)
  • Re: Cached Logon
    ... > current credentials and only after failing would prompt for credentials. ... Keep in mind that whether the IE browser will supply the Windows ... the scenes" windows authentication information? ... > On the server I was logged in as domain1\administrator. ...
    (microsoft.public.inetserver.iis)