Re: Windows Integrated Authentication on standalone server
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 06/16/05
- Next message: Jose Veroes: "Multiple SSL on the same IIS"
- Previous message: Ken Schaefer: "Re: IUSR account passwords sync"
- In reply to: Tom Kaminski [MVP]: "Re: Windows Integrated Authentication on standalone server"
- Next in thread: Tom Kaminski [MVP]: "Re: Windows Integrated Authentication on standalone server"
- Reply: Tom Kaminski [MVP]: "Re: Windows Integrated Authentication on standalone server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Jun 2005 12:55:50 +1000
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:%23tUA0uacFHA.3204@TK2MSFTNGP12.phx.gbl...
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:OgnKJoTcFHA.3040@TK2MSFTNGP14.phx.gbl...
: > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
: > news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl...
: > : "Oyvind" <oyvind@nospam.no> wrote in message
: > : news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl...
: > : > Hi.
: > : >
: > : > I wish to use Windows Integrated Authentication in IIS to
authenticate
: > : > users logging on. The problem is that the web server is a standalone
: > : > server located in DMZ, and I wish to authenticate using domain
: > accounts.
: > : >
: > : > Am I right to assume that this is not possible, as long as the web
: > server
: > : > is not in a domain trusted by the domain users are authenticated
with,
: > or
: > : > member of that domain ?
: > : >
: > : > Will the only solution then be, to add the web server to a new
domain,
: > and
: > : > trust that domain (or add it to the already existing domain.) ?
: > :
: > : The whole point of Windows Integrated authentication is to use a
domain.
: >
: >
: > That's not true. IWA will work fine for accounts local to the webserver.
: > There is no requirement for a domain.
:
: OK - what would be the benefit?
IWA describes a method of conveying a users credentials from the client to
the server (basically a way of having the client tell the server who the
client is). As such, it competes with Basic and Digest authentication
mechanisms. So Basic Auth can be used for local -or- domain accounts, and
IWA can be used for local or domain accounts as well.
Where/how the organisation manages the username/password store that the
server has access to is a completely separate matter. The arguments
regarding Domains -vs- Workgroup (local accounts) are the same regardless of
whether you are using Basic, Digest or IWA (NTLM or Kerberos)
authentication. [1]
Cheers
Ken
[1] Well, there's a limitation in Windows that Digest can't be used with
local accounts because an MD5 hash of the user's password can not be
calculated for a local user (there is no facility for storing passwords with
reversible encryption, and no facility for storing a pre-calculated hash).
But that is not a limitation in either the Digest standard or IIS, but how
the Windows local SAM was developed.
- Next message: Jose Veroes: "Multiple SSL on the same IIS"
- Previous message: Ken Schaefer: "Re: IUSR account passwords sync"
- In reply to: Tom Kaminski [MVP]: "Re: Windows Integrated Authentication on standalone server"
- Next in thread: Tom Kaminski [MVP]: "Re: Windows Integrated Authentication on standalone server"
- Reply: Tom Kaminski [MVP]: "Re: Windows Integrated Authentication on standalone server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
