Re: A little help (kerberos, netbios, and SPN... oh my!)

Hello Consultant,

I'm sorry I wasn't more clear. When I referenced IWA, I was saying that the site IS using integrated windows auth. However, from outside using a non NETBIOS name (FQDN) the password isn't accepted. Thanks for your help!

Craig

set the site to windows integrated authentication, this will allow the
local users credentials to pass to the site. the outside users
credentials will not pass thru, because they are not logged into the
domain and are outside the firewall, assuming you are behind one. this
will result in a login prompt, the only problem is they must supply
the domain, username and password, unlike basic authentication, where
you can supply the domain for them. also remember, if you are not
using ssl, these credentials, from the outside, will be passed in
clear text.

"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae9259f88c8678b28b7813c@xxxxxxxxxxxxxxxxxxxx

I have a custom intranet that I have setup for our company. The
access is secured using IWA and when the site is access by server
name (QSERVER\internal) the domain user's credentials are passed
automatically and everything is fine. This is good because we don't
want internal users (people part of our domain) to have to enter a
user/pass.

However, one of the integrated ASP apps won't let us use an internal
name because this intranet needs to be more of an extranet, so we
have to use the FQDN. Our domains aren't the same (.local for the
QSERVER and a .com for the FQDN). I've run "setspn -a
host/www.oursite.com QSERVER" which I thought would allow requests
from this host header to be passed with IWA, but it doesn't work.

Our goal is to have ALL of our users, whether they are inside the
office or outside, to use the same website address:
http://www.oursite.com/internal but the internal users not have to
enter a password, and all external users MUST enter one. Any
suggestions?

Server 2003
IIS6
web server is a DC
Thanks!

C



.

Relevant Pages

  • Re: HTTP 500 Error - Local Security Authority Cannot be contacted
    ... · If you are immediately brought to the error screen (without being ... and those credentials are no longer valid. ... When I was seeing this error with IE, I was able to authenticate ... Disabling IWA from the server allows me to authenticate (i.e. using Basic ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: A little help (kerberos, netbios, and SPN... oh my!)
    ... I was able to get it working with Intranet sites. ... this should allow the credentials to be passed. ... IWA enabled, instead of the netbios name, I am prompted for a U/P. ... this will result in a login prompt, ...
    (microsoft.public.inetserver.iis.security)
  • Re: A little help (kerberos, netbios, and SPN... oh my!)
    ... I added the site to IE's trusted list and tried the portion that has IWA enabled and it still asks for a U/P. ... this should allow the credentials to be passed. ... this will result in a login prompt, ...
    (microsoft.public.inetserver.iis.security)