Re: IIS6 - Virtual Directory to URL share, authentication problems.

From: Bob Eadie (robert_at_eadies.org.uk)
Date: 10/27/04 

Date: Wed, 27 Oct 2004 12:04:19 +0100

Thanks for this very full reply. I have now solved the external access, by
reducing them to basic authentication (and must now work on a certificate
for SSL!).

I am beginning to understand the internal problems. From what you say (and
your book reference was very helpful) we haven't a hope of getting it to
work with automatic logons from our many Windows98 machines, as they are not
capable of Kerberos? Am I right? If so, I'm not sure where we move from
here.

I have been aiming for IIS6 on Windows2003 specifically as it allows user
credentials to be passed to a UNC share on a remote server, but now it seems
that that system has severe restrictions? Any suggestions for a workaround?
The data is too large to copy onto the IIS server. I suppose I could run
another IIS on the remote server, and route to there? Is this about the
only way round it?

yours,

Bob

"Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
news:OMdJc08uEHA.1308@TK2MSFTNGP09.phx.gbl...
> Two issues:
>
> a) I am assuming you are relying on automatic logon by the browser?
> Automatic logon only works with
> (i) Internet Explorer
> (ii) the site is in the local Intranet security zone
>
> b) If you have a Windows 2000 domain then you do not have access to
protocol
> transition. Protocol transition is where one authentication mechanism is
> used to authenticate to IIS, and then IIS gets a Kerberos token to connect
> to the remote service, like so:
>
> browser <---NTLM ----> webserver <--- Kerberos ---> Other Server
>
> This is only available in a Windows 2003 functional mode domain. If you
are
> in a Windows 2000 functional mode domain, then authentication *must* be
> Kerberos end-to-end:
>
> browser <--- Kerberos ---> webserver <--- Kerberos ---> Other Server
>
> So, you need to find out what authentication mechanism your browser is
using
> to connect to the webserver. Kerberos authentication relies on Kerberos
> tickets, which are given out by the KDC (Key Distribution Center). In the
> Windows world, the KDCs are hosted on the DCs. So, your browser must be
able
> to contact the DC to get a Kerberos ticket. Since you have some users
> accessing the site through ISA Server, they are not going to be
> authenticating using Kerberos - they are going to be authenticating using
> NTLM, and that doesn't support double-hop authentication - the token that
> IIS gets from the DC does not support authenticated access to "Other
> Server".
>
> I'm not sure what is happening with the Terminal Servers
>
> Because the browser selects the first listed authentication protocol, and
> IIS lists the protocols in descending order of strength, your external
> clients are selecting NTLM over Basic authentication (even though you have
> both selected). What you can do for your external clients is use Basic
only
> (with SSL). Basic authentication passes the username/password in clear
text,
> so IIS can directly impersonate the user when connecting to a remote
> resource (of course, you need to strongly audit any code you have running
on
> the server so that it can't steal the usernames/passwords of users!)
>
> The following may be helpful:
> http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf
> It's a chapter from the IIS6 security book that I co-authored (with
Bernard
> Cheah)
>
> Cheers
> Ken
>

Relevant Pages

  • Re: WM5 can not sync to exchange
    ... I checked all the authentication settings and they are as you requested. ... After running the internet connection wizard I had to uncheck the Require ... On the SBS 2003 Server open the Server Management console. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)
  • RE: WM5 can not sync to exchange
    ... code 85010014 during ActiveSync with SBS. ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)
  • Re: WM5 can not sync to exchange
    ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... Collect the IIS metabase on Exchange Server and send to me: ...
    (microsoft.public.windows.server.sbs)
  • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
    ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Confusion on standard security methodologies.
    ... Application will talk to a back-end SQL ... By "back-end," I assume you mean on a different box from IIS? ... If SQL is on a separate box, you won't be able to use NT authentication ... impersonations (meaning that once passed to the IIS server, ...
    (microsoft.public.inetserver.iis.security)