Re: Windows Auth requires Anonymous access too...why?
From: Jordan (jfritts_at_learn.colostate.edu)
Date: 03/03/05
- Next message: Bob: "Re: certain file extensions disallowed in IIS6?"
- Previous message: Bob: "certain file extensions disallowed in IIS6?"
- In reply to: Miha Pihler [MVP]: "Re: Windows Auth requires Anonymous access too...why?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Mar 2005 16:36:08 -0700
Thanks Mike. I actually read that document right before posting becuase I
couldn't understand why it was "working" for us with anonymous checked. In
the end, it wasn't working so we took it off. Now, maybe you can help me
with this - a question arose from the solution to my problem.
In the same scenario as before, people couldn't get in, but ONLY those
people that were not already in our domain. I could use a local webserver
account to login from my Win2000 IE 6 client. Then we tried our friend's
home computer, WinXP IE 6 and he could not log on, USING THE SAME LOCAL
ACCOUNT! The solution was a security policy setting. We had set in our
polices that we wanted to use "NTLM Lv2" password encryption and refuse both
"LM + NTLM." (sorry, I don't have the policies window available to check the
exact wording). As a secruity policy of our institution, we set the highest
level of encryption for our client/server authentications which was causing
people outsite our domain to not be able to validate. To fix the problem, we
set this setting to only refuse "LM" and it worked just fine.
Could you shed some light on what this is and why it would only affect
outside machines?
Thanks, j
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:OEKzep3HFHA.2456@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> If you enable anonymous this will enable public access to your web
> browser. Anonymous access is tried first. If anonymous access is disabled
> then the server will send back the authentication methods that are
> supported.
>
> In short, if you want your clients to authenticate, you should disable
> anonymous access.
>
> For clients outside domain, you will probably need to enable Basic
> Authentication (and protect it with SSL or username/password will be sent
> over unprotected). Your current (domain) users will still be able to
> authenticate to the server using Integrated Authentication since the
> client goes from most secure to least secure method of authentication.
>
> INFO: How IIS Authenticates Browser Clients
> http://support.microsoft.com/default.aspx?scid=kb;en-us;264921
>
> I hope this helps.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Jordan" <jfritts@learn.colostate.edu> wrote in message
> news:eAoaKL3HFHA.4016@TK2MSFTNGP10.phx.gbl...
>> I've used Intergrated Windows Authentication before but have been
>> troubleshooting why a site of mine suddenly stopped working. This
>> required Integrated Windows Authentication, and no other security was
>> required. This was working for those computers who were already in the
>> domain, but any computer outside the domain, could not gain access. After
>> researching this, I simply tried checking the "Anonymous" box as well,
>> and everything started working again.
>>
>> Why is it that a site that should only require Int Winows Auth also
>> requries that "Anonymous" users be allowed as well?
>>
>> thanks, j
>>
>
>
- Next message: Bob: "Re: certain file extensions disallowed in IIS6?"
- Previous message: Bob: "certain file extensions disallowed in IIS6?"
- In reply to: Miha Pihler [MVP]: "Re: Windows Auth requires Anonymous access too...why?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
