Re: Standalone IIS Server prompts for authentication when using Domain Anon User Acct

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 10/02/04 

Date: Sat, 2 Oct 2004 11:12:44 +0800

In this case, ensure that the anonymous account has at least READ NTFS
permission on the resource.
check the log file for more clue. 

-- 
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Miguel" <ihaveblint@gmail.com> wrote in message
news:393251a5.0410010515.3858e4cb@posting.google.com...
> Hi Miha,
>
>    The IIS server is not part of a domain. For testing purposes I made
> an exception and allowed all traffic from this IIS server to all DCs
> to see if this was a firewall issue however that still didn't work. As
> mentioned, I only get prompted for Windows Authentication when the IIS
> server is not a member of the domain, however if part of the domain
> one no longer gets prompted. This alone should rule out any
> firewall/network level issues.
>    The problem isn't that I'm failing to authenticate when prompted,
> but rather why I'm being asked to authenticate at all as an anonymous
> user. I realize some would wonder why I don't keep my IIS server in
> the Domain - I prefer to keep my DMZ servers standalone.
>
>    Thanks for your assistance,
>
>             Miguel
>
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:<#8Bj0jwpEHA.1300@TK2MSFTNGP12.phx.gbl>...
> > Hi Miguel,
> >
> > Can you explain a bit more? Is this server member of domain or not? If
it is
> > a member of domain, did you open necessary TCP and UDP ports between
your
> > IIS server in DMZ and your active directory? Did you change DNS
> > configuration (under TCP/IP properties) in IIS server so that it point
to
> > your active directory DNS?
> >
> > In user authentication prompt did you try entering
> >
> > domain_name\username
> >
> > where domain_name is NetBIOS name of your domain and
> > username is account created in your domain.
> >
> > Mike
> >
> > "Miguel" <ihaveblint@gmail.com> wrote in message
> > news:393251a5.0409300707.7a3af05f@posting.google.com...
> > > Hello all,
> > >
> > >    I'm having some trouble with getting my IIS server working
> > > correctly with anonymous users. Current we have an IIS server sitting
> > > in the DMZ that is not part of the internal Windows domain which needs
> > > to access Active Directory. To gain access to Active Diretory I've
> > > changed the Anonymous User Account under IIS to a domain account.
> > > However this causes one to be prompted to authenticate as soon as you
> > > try to access the website on the IIS server. For testing purposes I
> > > added the IIS server to the same domain that it would be accessing and
> > > I no longer got prompted to authenticate when accessing the website.
> > > This isn't a NTFS permission problem as far as I can tell since the
> > > web application resides in a directory giving Everybody permission to
> > > access it. I read that Log on Locally might be necessary, but after
> > > giving the domain account (the same that IIS is running as) permission
> > > to logon locally I still get prompted for authentication.
> > >
> > >    The desired result is for the standalone IIS server to have access
> > > to Active Directory without needing any type of authentication by the
> > > user other than at the application level.
> > >
> > >    Any ideas on what could be causing anonymous users being prompted
> > > for Windows authentication?
> > >
> > >
> > >        Thanks!

Relevant Pages

  • Re: How to deny access to domain shares from a workgroup computer
    ... If I take the example of Internet Explorer pass-through authentication: ... the authentication process is identical whether I am prompted and enter credentials, or whether my logged in credentials are passed-through ... It is just an authentication based on username and password; and authentication protocol designed to make it hard to intercept or decipher the authentication in transit; and a convenience mechanism for passing through under certain circumstances without an explicit prompt. ... By adding a prefix he is really saying "this version rather than that version of my account". ...
    (microsoft.public.windows.server.security)
  • Re: How to deny access to domain shares from a workgroup computer
    ... It makes sense to me, now that you clearly state it, that there is no need to trust the machine where the authentication is coming from. ... If he truly knew nothing about the domain, it is somewhat unlikely for him to have a local account whose name matches that of a domain account, although this is possible. ... user name and password sufficient credentials, ... It is just an authentication based on username and password; and authentication protocol designed to make it hard to intercept or decipher the authentication in transit; and a convenience mechanism for passing through under certain circumstances without an explicit prompt. ...
    (microsoft.public.windows.server.security)
  • Re: How to deny access to domain shares from a workgroup computer
    ... It makes sense to me, now that you clearly state it, that there is no need to trust the machine where the authentication is coming from. ... However, if you consider only user name and password sufficient credentials, then it's fine. ... It is just an authentication based on username and password; and authentication protocol designed to make it hard to intercept or decipher the authentication in transit; and a convenience mechanism for passing through under certain circumstances without an explicit prompt. ... By adding a prefix he is really saying "this version rather than that version of my account". ...
    (microsoft.public.windows.server.security)
  • Re: Authentication Question
    ... if you use a local account. ... ISA authentication prompt, if integrated authentication is enabled on the ... > with a local account to the PC and not the domain are the users still ...
    (microsoft.public.isa)
  • Re: WSS 3.0 Central Administration Application Management Access Failu
    ... the reason you get a login prompt is because you dig not add the url to the trusted/intranet site in IE. ... Do you log on to the sharepoint central admin site with the same account as the one you used to install Sharepoint? ... URL authorization failed for the request. ... Authentication Type: NTLM ...
    (microsoft.public.sharepoint.windowsservices)