Re: A little help (kerberos, netbios, and SPN... oh my!)

I take that back, that isn't exact. When www.site.com is used with IWA enabled, instead of the netbios name, I am prompted for a U/P. When the netbios name is used there is no U/P prompted. (this is all on the internal network) I need to be able to use the public site name on the internal network and not get prompted for a password. Externally since there is no connection for kerberos, I'm sure it will fail over to NTLM and ask for a U/P. But why does the netbios name work and authenticate but the full website name does not?

Hello Consultant,

I'm sorry I wasn't more clear. When I referenced IWA, I was saying
that the site IS using integrated windows auth. However, from outside
using a non NETBIOS name (FQDN) the password isn't accepted. Thanks
for your help!

Craig

set the site to windows integrated authentication, this will allow
the local users credentials to pass to the site. the outside users
credentials will not pass thru, because they are not logged into the
domain and are outside the firewall, assuming you are behind one.
this will result in a login prompt, the only problem is they must
supply the domain, username and password, unlike basic
authentication, where you can supply the domain for them. also
remember, if you are not using ssl, these credentials, from the
outside, will be passed in clear text.

"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae9259f88c8678b28b7813c@xxxxxxxxxxxxxxxxxxxx

I have a custom intranet that I have setup for our company. The
access is secured using IWA and when the site is access by server
name (QSERVER\internal) the domain user's credentials are passed
automatically and everything is fine. This is good because we don't
want internal users (people part of our domain) to have to enter a
user/pass.

However, one of the integrated ASP apps won't let us use an internal
name because this intranet needs to be more of an extranet, so we
have to use the FQDN. Our domains aren't the same (.local for the
QSERVER and a .com for the FQDN). I've run "setspn -a
host/www.oursite.com QSERVER" which I thought would allow requests
from this host header to be passed with IWA, but it doesn't work.

Our goal is to have ALL of our users, whether they are inside the
office or outside, to use the same website address:
http://www.oursite.com/internal but the internal users not have to
enter a password, and all external users MUST enter one. Any
suggestions?

Server 2003
IIS6
web server is a DC
Thanks!
C



.

Relevant Pages

  • Re: A little help (kerberos, netbios, and SPN... oh my!)
    ... I added the site to IE's trusted list and tried the portion that has IWA enabled and it still asks for a U/P. ... this should allow the credentials to be passed. ... this will result in a login prompt, ...
    (microsoft.public.inetserver.iis.security)
  • Re: modifying objects in ADAM ADSIEDIT
    ... A script can prompt for the NetBIOS name ... If you only modify single-valued string attributes, ... ' Use the NameTranslate object to find the NetBIOS name of the domain. ...
    (microsoft.public.windows.server.scripting)
  • Re: A little help (kerberos, netbios, and SPN... oh my!)
    ... Add it to the Intranet zone, not Trusted Sites. ... I added the site to IE's trusted list and tried the portion that has IWA ... this should allow the credentials to be passed. ... this will result in a login prompt, ...
    (microsoft.public.inetserver.iis.security)
  • Re: modifying objects in ADAM ADSIEDIT
    ... How do I script this by just modifying the ... If you have the NetBIOS name ... A script can prompt for the NetBIOS name ... If you only modify single-valued string attributes, ...
    (microsoft.public.windows.server.scripting)
  • Re: check if computer exists in AD
    ... NetBIOS name of the computer with "$" appended on the end. ... a more efficient method would be to use the NameTranslate object. ... ' Specify the NetBIOS name of the computer. ... You can use the InputBox function to prompt for the NetBIOS name of the ...
    (microsoft.public.windows.server.scripting)