Re: IIS5.0 + ADSI + Inetgrated Auth.
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 12/21/03
- Next message: Karl Levinson [x y] mvp: "Re: Permanently turn off Integrated Windows Authentication?"
- Previous message: David Wang [Msft]: "Re: do i have to purchase an ssl?"
- In reply to: Petr SIMUNEK: "IIS5.0 + ADSI + Inetgrated Auth."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Dec 2003 00:34:38 -0800
Your problem lies with delegation. Integrated Auth is not delegatable from
IIS5. It works with IIS6+AD, though.
Basic auth should work (i've successfully used ASP pages that use ADSI to
make property changes on another IIS server over Basic auth with admin
credentials).
See this Whitepaper for explanation/links. It describes it in the context
of access to UNC shares, but the concepts apply.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/deploy/confeat/RemStorg.asp
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Petr SIMUNEK" <simunekp@hotmail.com> wrote in message news:uHdeqzNxDHA.1484@TK2MSFTNGP09.phx.gbl... Scenario: -------------------------- - Native W2K domain - Multiple DS and MS - IIS installed on one of the Member Servers - Main public WEB site with security set to ANONYMOUS ACCESS uses LOCAL IUSER_MachineName account of this member server. Inside Virtual Dir with security set to INTEGRATED contains pages for manipulating USERs properties over ADSI Integrated authentication works fine, but nobody - even Domain Admin can't do any change to AD from remote computer - even DC. All fails on: [ Active Directory error '80070005' ] When i run the same on the Member Server where IIS resides all goes fine. ? Tried couple of things but nothing so far helped - setting the IIS MS - Trusted for delegation - switching to Basic Authentication - When I logIn localy on ISS MS machine as non Privileged user the script fails as well ---------------------------------------- ? I assume - scripts(ASP) are fine since they run smoothly on IIS machine - if the pages run in security context of authenticated user / as they should - makes no sense to setting up DOMAIN-wide IUSER account Help me out pls...this must be well maped area Petr Simunek MOD Admin ....thanx for any guide
- Next message: Karl Levinson [x y] mvp: "Re: Permanently turn off Integrated Windows Authentication?"
- Previous message: David Wang [Msft]: "Re: do i have to purchase an ssl?"
- In reply to: Petr SIMUNEK: "IIS5.0 + ADSI + Inetgrated Auth."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
