Re: Cannot Default Domain?

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 12/08/04


Date: Wed, 8 Dec 2004 12:05:10 +0800


"your problem is that your server is configured in such a way that security
API is not using the server's domain in its operations. "

where and why it is not using the server's domain ?

-- 
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:#L67YnM3EHA.524@TK2MSFTNGP09.phx.gbl...
> The requirement of a domain (or equivalent information) is really a
function
> of the authentication protocol you use and is outside of IIS control.  IIS
> is simply a middleman.
>
> The ability to "default domain" actually means that IIS (or anyone else)
can
> perform man-in-the-middle security attacks against the protocol -- not
> exactly peace of mind, I'd say.
>
> For example, with Basic authentication:
> 1. user sends their username and password to IIS
> 2. IIS can add in a "default domain" if the user didn't send any
> 3. IIS calls LogonUser using domain\username:password to get a user token
> and continue processing the request
>
> With Integrated Authentication (NTLM, Kerberos)
> 1. user sends hashed data blob to IIS. The user must use
> domain\username:password to create the hashed data blob
> 2. IIS obviously cannot add in a "default domain" -- it doesn't know what
> the data blob is.
> 3. IIS calls security API calls which understand the blob and does its
thing
> 4. IIS either gets a "OK" from the security API to then call another
> security API to fetch a user token, or it gets a blob to send back to the
> client to continue authentication
>
>
> So, your problem is not that IIS cannot default domain -- your problem is
> that your server is configured in such a way that security API is not
using
> the server's domain in its operations.  This is not really an IIS issue at
> this point...
>
> I'm suspecting that use of IP instead of sername is a part of the issue.
>
> -- 
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Scott McCarthy" <ScottMcCarthy@discussions.microsoft.com> wrote in
message
> news:074DAEAE-7C68-4249-8C97-CE3F6C070963@microsoft.com...
> David, I did set it to basic and it finally did work. Is basic the only
way
> to default a domain? The http link is just an internal IP address accessed
> by
> internal machines (IE. http://192.168.0.3/website)
>
> Scott
>
>
> "David Wang [Msft]" wrote:
>
> > What you describe should have worked for Basic authentication -- 
assuming
> > the client/server negotiated Basic instead of something else.  Make sure
> you
> > have ONLY Basic auth enabled and try again -- it should work.
> >
> >
>
http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_setdeflogon.mspx
> >
> > You should not see any authentication dialogs with Integrated
> Authentication
> > (IE will automatically negotiate the credentials depending on the
security
> > zone your server is perceived by it).  So, something else seems
> > misconfigured.
> >
> > What sort of request URL are you using to access the web server.
> >
> > -- 
> > //David
> > IIS
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > //
> > "Scott McCarthy" <Scott McCarthy@discussions.microsoft.com> wrote in
> message
> > news:F85BBCA9-1367-481F-9A2D-D8D4F11D7605@microsoft.com...
> > I have a web server (Windows 2003 IIS6) that is joined into our domain.
I
> > have it setup with Windows Integrated Auth. and have also tried Digest
and
> > Basic.
> >
> > I cannot get the webserver to authenticate the accounts to theh domain.
> > Everytime you try to login to a web page with a domain username and
> > password,
> > the dialog comes back with the IP Address\username and the user has to
> > manually type DOMAIN\username to authenticate.
> >
> > Is there anyway to fix this issue or force the server to authenticate
> > against the domain it is joined into? I have tried Basic Auth with the
> > default domain set to the main domain with no luck - Same result.
> >
> > Thanks in advance.
> >
> > Scott McCarthy
> > smccarthy@radisson.com
> >
> >
> >
>
>


Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Authentication Problem - Help
    ... I just had similar - and I strongly suspect it's NT security. ... > implies impersonate the LOGON user specified by IIS ... > expired process is shutdown and a new process is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS file system writes across domains
    ... the process should be running under the context of the IIS ... Have the remote server turn on file auditing and check the security event ... > Integrated Windows Authentication which in my opinion means that the ...
    (microsoft.public.inetserver.iis.security)
  • Re: can someone explain this weird behaviour?
    ... IIS to also authenticate with another protocol before even allowing ... authentication scheme seems confusing, and I agree -- and that is why ... The "Dir Security" property you change is one of the ... But for the same asp.net application with the same login control etc.. ...
    (microsoft.public.inetserver.iis.security)
  • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
    ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
    (microsoft.public.dotnet.framework.aspnet.security)