Re: IIS6 - Integrated Authentication Probs

From: JayDee (darius_falt_at_hotmail.com)
Date: 10/23/03


Date: Thu, 23 Oct 2003 11:18:31 +0100

heres the help provided by the illustrious Ken.

-->

"The "problem" isn't really a problem - it's expected behaviour.

When you use IWA, your user password is never sent across the wire - that's
what makes it more secure that Basic authentication. However, the token that
the webserver gets from the Domain Controller doesn't have permission to
logon to other network resources.

When you use Basic authentication, your username *and* password are
transmitted, in the clear, to the webserver, who can then "act" on your
behalf (as if you were logged on at the webserver) and get access to network
resources

(I'm sure the actual way this works is a little more complex, but this
should suffice for the purposes of your dilemma).

OK, so what do you do about it?

With Windows 2000 you need to enable delegation (Windows 2003 allows for
constrained delegation which is much "safer" in that you can restrict the
services that are delegated). Now, you say you have a Windows 2003 native
mode domain? If so, then you need to follow the delegation procedure
outlined in Chapter 5 ((IIRC) of the IIS 6 Resource Kit:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=80A1
B6E6-829E-49B7-8C02-333D9C148E69

Cheers
Ken"

"JayDee" <darius_falt@hotmail.com> wrote in message
news:OXWNq4UmDHA.1708@TK2MSFTNGP12.phx.gbl...
> I originally posted this in IIS group,
> but I thought I'd try here,
>
> I'm really stuck getting integrated authentication to work accross a web
> server to a UNC share on another server
>
> If anyone feels so inclined, Id really appreciate any help on offer.
>
> Heres the problem
>
> It seems that when I use "integrated authentication" that the credentials
> parsed from my browser to the web server are not being used correctly by
the
> webserver to authenticate me on the target resource: The target resource -
> as I mentioned - is located on another machine.
>
> How do I know this?
>
> a) - I can see in the log files that the correct credentials are being
> parsed from my browser to the webserver.
> b) - Despite the fact these credentials are being parsed, i'm still being
> asked to present credentials by way of the browser 'Username and Password'
> dialogue box.
> c) - Even if I manually present valid credentails at this dialogue box,
I'm
> still not able to authenticate to the target resource. After 3 attempts at
> entering info into the Dialogue, I get the same 401.3 Error -
"Unauthorized:
> Access is denied due to an ACL set on the requested resource"
>
> Hence - this is a general problem with the way the web server is using my
> credentials to authenticate with the target resource.
>
> If I change the Authentication method from "Integrated" to "Basic", I am
> always prompted for credentials, this is expected.
> This time, if I enter valid credentials, then the Web Server give me
access
> to the resource I need.
>
> So the problem here seems to be in how the IIS6 Web Server parses my
> credentials for authentication on the target resource, but ONLY when its
> handling it via INTEGRATED AUTHENTICATION
>
> I thought that it might be something to do with NTLM versus Kerberos,
> but this just adds to my confustion as in my test instance everything
should
> be working with Kerberos,
>
> Heres the setup.
>
> Its a W2K3 native mode domain,
> with a W2K3 Web Server and IIS 6.
> The client machine is WinXP Pro SP1a
> The user and computer accounts are both members of this W2K3 Domain,
>
> I'm trying to digest the info I've found in the arcticle 332142,
> I'll also try manually setting the authentication method by adapting the
> IIS5 procedure given in 215383,
>
>
> Bu I'm completely in the dark here. I could reall really use some MS help
on
> this.
>
>
> Anyone out there?
>
>
> thanks people - I really appreciate your time.
>
>
>
>



Relevant Pages

  • Re: IIS6 - Integrated Authentication Probs
    ... So I cant go the whole way with constrained delegation, ... > what makes it more secure that Basic authentication. ... >> credentials to authenticate with the target resource. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Anonymous and NTLM
    ... This is by design, browsers will always attempt to connect anonymously, and ... base on authentication challenge header receive from web server, ... > the lowest credentials needed to complete a given resource request. ...
    (microsoft.public.inetserver.iis.security)
  • IIS6 - Integrated Authentication Probs
    ... server to a UNC share on another server ... It seems that when I use "integrated authentication" that the credentials ... Hence - this is a general problem with the way the web server is using my ...
    (microsoft.public.inetserver.iis.security)
  • Re: Urgent: Connecting to active directory using cached credentials
    ... The problem you are probably facing is the one hop limit of NTLM ... The user's credentials make one hop from the browser ... to the web server, and the web server can use those credentials ... >authentication. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Temporarily loses IIS Authenticated User
    ... Authentication on our web server. ... > as my SQL Server which hosts ASP and ASP.NET applications ... > and again it seems like IIS is losing the credentials of the user that ...
    (microsoft.public.inetserver.iis.security)