Re: IIS6 - Integrated Authentication Probs
From: JayDee (darius_falt_at_hotmail.com)
Date: Thu, 23 Oct 2003 11:18:31 +0100
heres the help provided by the illustrious Ken.
"The "problem" isn't really a problem - it's expected behaviour.
When you use IWA, your user password is never sent across the wire - that's
what makes it more secure that Basic authentication. However, the token that
the webserver gets from the Domain Controller doesn't have permission to
logon to other network resources.
When you use Basic authentication, your username *and* password are
transmitted, in the clear, to the webserver, who can then "act" on your
behalf (as if you were logged on at the webserver) and get access to network
(I'm sure the actual way this works is a little more complex, but this
should suffice for the purposes of your dilemma).
OK, so what do you do about it?
With Windows 2000 you need to enable delegation (Windows 2003 allows for
constrained delegation which is much "safer" in that you can restrict the
services that are delegated). Now, you say you have a Windows 2003 native
mode domain? If so, then you need to follow the delegation procedure
outlined in Chapter 5 ((IIRC) of the IIS 6 Resource Kit:
"JayDee" <firstname.lastname@example.org> wrote in message
> I originally posted this in IIS group,
> but I thought I'd try here,
> I'm really stuck getting integrated authentication to work accross a web
> server to a UNC share on another server
> If anyone feels so inclined, Id really appreciate any help on offer.
> Heres the problem
> It seems that when I use "integrated authentication" that the credentials
> parsed from my browser to the web server are not being used correctly by
> webserver to authenticate me on the target resource: The target resource -
> as I mentioned - is located on another machine.
> How do I know this?
> a) - I can see in the log files that the correct credentials are being
> parsed from my browser to the webserver.
> b) - Despite the fact these credentials are being parsed, i'm still being
> asked to present credentials by way of the browser 'Username and Password'
> dialogue box.
> c) - Even if I manually present valid credentails at this dialogue box,
> still not able to authenticate to the target resource. After 3 attempts at
> entering info into the Dialogue, I get the same 401.3 Error -
> Access is denied due to an ACL set on the requested resource"
> Hence - this is a general problem with the way the web server is using my
> credentials to authenticate with the target resource.
> If I change the Authentication method from "Integrated" to "Basic", I am
> always prompted for credentials, this is expected.
> This time, if I enter valid credentials, then the Web Server give me
> to the resource I need.
> So the problem here seems to be in how the IIS6 Web Server parses my
> credentials for authentication on the target resource, but ONLY when its
> handling it via INTEGRATED AUTHENTICATION
> I thought that it might be something to do with NTLM versus Kerberos,
> but this just adds to my confustion as in my test instance everything
> be working with Kerberos,
> Heres the setup.
> Its a W2K3 native mode domain,
> with a W2K3 Web Server and IIS 6.
> The client machine is WinXP Pro SP1a
> The user and computer accounts are both members of this W2K3 Domain,
> I'm trying to digest the info I've found in the arcticle 332142,
> I'll also try manually setting the authentication method by adapting the
> IIS5 procedure given in 215383,
> Bu I'm completely in the dark here. I could reall really use some MS help
> Anyone out there?
> thanks people - I really appreciate your time.