Re: IIS6 - Integrated Authentication Probs
From: JayDee (darius_falt_at_hotmail.com)
Date: Thu, 23 Oct 2003 11:24:35 +0100
...and my reseponse....
Adding to my previous post,
I meslead you slightly (actually I was misleaf myself!!!)
I'm actually running in win2000 mixed mode, not win2003 native mode, for my
even though my servers are 2k3 - i havent made the jump yet, becuase I'm
still in the middle of a migration
So I cant go the whole way with constrained delegation,
but reading between the lines on the IIS RK Docs (Chap5, pp469) I have
enabled "trust computer for delegation" in the W2K3 computer account
webserver in DSA.MSC
Theres a note below this option says that this will only enable delegation
for services running under Local System.
My web app is running in IIS5 isolation mode, which means it will run under
an IWAM account not the Local System,
Suffice to say, I'm not entirely surprised that this doesnt seem to fix my
At the moment I'm stuck again.
does this mean I'm stuffed?
"JayDee" <firstname.lastname@example.org> wrote in message
> heres the help provided by the illustrious Ken.
> "The "problem" isn't really a problem - it's expected behaviour.
> When you use IWA, your user password is never sent across the wire -
> what makes it more secure that Basic authentication. However, the token
> the webserver gets from the Domain Controller doesn't have permission to
> logon to other network resources.
> When you use Basic authentication, your username *and* password are
> transmitted, in the clear, to the webserver, who can then "act" on your
> behalf (as if you were logged on at the webserver) and get access to
> (I'm sure the actual way this works is a little more complex, but this
> should suffice for the purposes of your dilemma).
> OK, so what do you do about it?
> With Windows 2000 you need to enable delegation (Windows 2003 allows for
> constrained delegation which is much "safer" in that you can restrict the
> services that are delegated). Now, you say you have a Windows 2003 native
> mode domain? If so, then you need to follow the delegation procedure
> outlined in Chapter 5 ((IIRC) of the IIS 6 Resource Kit:
> "JayDee" <email@example.com> wrote in message
> > I originally posted this in IIS group,
> > but I thought I'd try here,
> > I'm really stuck getting integrated authentication to work accross a web
> > server to a UNC share on another server
> > If anyone feels so inclined, Id really appreciate any help on offer.
> > Heres the problem
> > It seems that when I use "integrated authentication" that the
> > parsed from my browser to the web server are not being used correctly by
> > webserver to authenticate me on the target resource: The target
> > as I mentioned - is located on another machine.
> > How do I know this?
> > a) - I can see in the log files that the correct credentials are being
> > parsed from my browser to the webserver.
> > b) - Despite the fact these credentials are being parsed, i'm still
> > asked to present credentials by way of the browser 'Username and
> > dialogue box.
> > c) - Even if I manually present valid credentails at this dialogue box,
> > still not able to authenticate to the target resource. After 3 attempts
> > entering info into the Dialogue, I get the same 401.3 Error -
> > Access is denied due to an ACL set on the requested resource"
> > Hence - this is a general problem with the way the web server is using
> > credentials to authenticate with the target resource.
> > If I change the Authentication method from "Integrated" to "Basic", I am
> > always prompted for credentials, this is expected.
> > This time, if I enter valid credentials, then the Web Server give me
> > to the resource I need.
> > So the problem here seems to be in how the IIS6 Web Server parses my
> > credentials for authentication on the target resource, but ONLY when its
> > handling it via INTEGRATED AUTHENTICATION
> > I thought that it might be something to do with NTLM versus Kerberos,
> > but this just adds to my confustion as in my test instance everything
> > be working with Kerberos,
> > Heres the setup.
> > Its a W2K3 native mode domain,
> > with a W2K3 Web Server and IIS 6.
> > The client machine is WinXP Pro SP1a
> > The user and computer accounts are both members of this W2K3 Domain,
> > I'm trying to digest the info I've found in the arcticle 332142,
> > I'll also try manually setting the authentication method by adapting the
> > IIS5 procedure given in 215383,
> > Bu I'm completely in the dark here. I could reall really use some MS
> > this.
> > Anyone out there?
> > thanks people - I really appreciate your time.