Re: IIS 5.0 Integrated Authentication always looks locally than to the domian it has joined
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/31/04
- Previous message: Wei-Dong XU [MSFT]: "RE: "\" default domain in IIS 5.0 and IIS 6.0"
- In reply to: Tom Kaminski [MVP]: "Re: IIS 5.0 Integrated Authentication always looks locally than to the domian it has joined"
- Next in thread: Tom Kaminski [MVP]: "Re: IIS 5.0 Integrated Authentication always looks locally than to the domian it has joined"
- Reply: Tom Kaminski [MVP]: "Re: IIS 5.0 Integrated Authentication always looks locally than to the domian it has joined"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Mar 2004 20:35:14 -0700
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c4bs56$4s015@kcweb01.netnews.att.com...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uB1SIxhFEHA.2160@TK2MSFTNGP12.phx.gbl...
> > "Tom Kaminski [MVP]" wrote
> > > "Ken Schaefer" wrote
> > > > "Tom Kaminski [MVP]" wrote
> > > > : "Nachi" wrote
> > > > : I've a Win2K machine joined to a domain. Setup the IIS to
> Integrated
> > > > : and the rest of authetication option are not set. Whenever I
browse
> to
> > > > : any HTML page, authentication happens locally and not against the
> > > > : domain joined.
> >
> > > > : Upon enabling basic authentication alone (with the domain pointing
> to
> > > > : the joined domain), it works by authenticating against the said
> > domain.
> > > > : But strangely with 'integrated authentication' alone, it always
goes
> > to
> > > > : local machine rather than joined domain. Is there a way to force
> > > > : authentication against domain explicitly?
> > > > :
> > > > : Specifically how are you testing this? IIS should use the domain.
> > > >
> > > >
> > > > Not in my experience...
> > > >
> > > > IIS interprets Username as <LocalIISServer>\Username rather than
> > > > <Domain>\Username
> > >
> > > I wonder why? It's always worked correctly in my environment - which
is
> > the
> > > whole point of Windows Integrated authentication (to use the domain).
> > >
> >
> > I am waiting with baited breath, as my experience has always
> > been the same as Ken, local accounts only unless specified
> > otherwise. If you really have seen it otherwise Tom, then can
> > we compare what you have tweaked to get this behavior?
>
> I haven't had to tweak anything. Read what Paul posted and think about
it -
> how can IIS use the account you logged on to your workstation with if IIS
is
> expecting it's own local accounts? The server's local account only exist
in
> the context of the server - you can't logon to your own machine with them.
> A domain account, on the other hand, can be used on all machines in the
> domain, both servers and workstation - hence the point of Windows
Integrated
> authentication - you're already logged on to your machine with a domain
> account so IE/IIS will use that (in the background) and not prompt you
> again.
>
But you are speaking of pre-existing credentials.
I am talking of prompted login authentication, which I believe
is also what the OP was asking about.
When prompted with Windows integrated authentication in use
there is no way to set a default SAM, it will always use the
machine local SAM.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA
- Previous message: Wei-Dong XU [MSFT]: "RE: "\" default domain in IIS 5.0 and IIS 6.0"
- In reply to: Tom Kaminski [MVP]: "Re: IIS 5.0 Integrated Authentication always looks locally than to the domian it has joined"
- Next in thread: Tom Kaminski [MVP]: "Re: IIS 5.0 Integrated Authentication always looks locally than to the domian it has joined"
- Reply: Tom Kaminski [MVP]: "Re: IIS 5.0 Integrated Authentication always looks locally than to the domian it has joined"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
