Re: A little help (kerberos, netbios, and SPN... oh my!)
- From: "Consultant" <consultant_mcngp@xxxxxxxxx>
- Date: Wed, 28 Jun 2006 10:03:24 -0700
well, internet explorer see's the fqdn as a non trusted internet site and
won't pass the credentials. try adding the fqdn as a trusted site, this
should allow the credentials to be passed.
"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae925f5b8c868463e11f41d@xxxxxxxxxxxxxxxxxxxx
I take that back, that isn't exact. When www.site.com is used with IWA
enabled, instead of the netbios name, I am prompted for a U/P. When the
netbios name is used there is no U/P prompted. (this is all on the
internal network) I need to be able to use the public site name on the
internal network and not get prompted for a password. Externally since
there is no connection for kerberos, I'm sure it will fail over to NTLM and
ask for a U/P. But why does the netbios name work and authenticate but the
full website name does not?
Hello Consultant,
I'm sorry I wasn't more clear. When I referenced IWA, I was saying
that the site IS using integrated windows auth. However, from outside
using a non NETBIOS name (FQDN) the password isn't accepted. Thanks
for your help!
Craig
set the site to windows integrated authentication, this will allow
the local users credentials to pass to the site. the outside users
credentials will not pass thru, because they are not logged into the
domain and are outside the firewall, assuming you are behind one.
this will result in a login prompt, the only problem is they must
supply the domain, username and password, unlike basic
authentication, where you can supply the domain for them. also
remember, if you are not using ssl, these credentials, from the
outside, will be passed in clear text.
"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae9259f88c8678b28b7813c@xxxxxxxxxxxxxxxxxxxx
I have a custom intranet that I have setup for our company. The
access is secured using IWA and when the site is access by server
name (QSERVER\internal) the domain user's credentials are passed
automatically and everything is fine. This is good because we don't
want internal users (people part of our domain) to have to enter a
user/pass.
However, one of the integrated ASP apps won't let us use an internal
name because this intranet needs to be more of an extranet, so we
have to use the FQDN. Our domains aren't the same (.local for the
QSERVER and a .com for the FQDN). I've run "setspn -a
host/www.oursite.com QSERVER" which I thought would allow requests
from this host header to be passed with IWA, but it doesn't work.
Our goal is to have ALL of our users, whether they are inside the
office or outside, to use the same website address:
http://www.oursite.com/internal but the internal users not have to
enter a password, and all external users MUST enter one. Any
suggestions?
Server 2003
IIS6
web server is a DC
Thanks!
C
.
- Follow-Ups:
- Re: A little help (kerberos, netbios, and SPN... oh my!)
- From: Craig Carrigan
- Re: A little help (kerberos, netbios, and SPN... oh my!)
- References:
- Re: A little help (kerberos, netbios, and SPN... oh my!)
- From: Craig Carrigan
- Re: A little help (kerberos, netbios, and SPN... oh my!)
- From: Craig Carrigan
- Re: A little help (kerberos, netbios, and SPN... oh my!)
- Prev by Date: Re: Can Somone Tell Me If We Have a Hacker?
- Next by Date: login problem with iis and webdav.
- Previous by thread: Re: A little help (kerberos, netbios, and SPN... oh my!)
- Next by thread: Re: A little help (kerberos, netbios, and SPN... oh my!)
- Index(es):
Relevant Pages
|
