Re: A little help (kerberos, netbios, and SPN... oh my!)

Hi,

Add it to the Intranet zone, not Trusted Sites. See:
http://support.microsoft.com/?id=258063

You will also be prompted if automatic logon fails because:
a) the currently logged on user does not have access
b) the configured authentication mechanism is failing (e.g. you are using
Kerberos and you can't access the DC, or you are using NTLM but you are
going through a proxy server, or HTTP Keep-Alives are not enabled)

Cheers
Ken

"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae9261c28c868de7b273470@xxxxxxxxxxxxxxxxxxxx
Hello Consultant,

I added the site to IE's trusted list and tried the portion that has IWA
enabled and it still asks for a U/P. Any other hints or tips?

well, internet explorer see's the fqdn as a non trusted internet site
and won't pass the credentials. try adding the fqdn as a trusted site,
this should allow the credentials to be passed.

"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae925f5b8c868463e11f41d@xxxxxxxxxxxxxxxxxxxx

I take that back, that isn't exact. When www.site.com is used with
IWA enabled, instead of the netbios name, I am prompted for a U/P.
When the netbios name is used there is no U/P prompted. (this is all
on the internal network) I need to be able to use the public site
name on the internal network and not get prompted for a password.
Externally since there is no connection for kerberos, I'm sure it
will fail over to NTLM and ask for a U/P. But why does the netbios
name work and authenticate but the full website name does not?

Hello Consultant,

I'm sorry I wasn't more clear. When I referenced IWA, I was saying
that the site IS using integrated windows auth. However, from
outside using a non NETBIOS name (FQDN) the password isn't accepted.
Thanks for your help!

Craig

set the site to windows integrated authentication, this will allow
the local users credentials to pass to the site. the outside users
credentials will not pass thru, because they are not logged into
the domain and are outside the firewall, assuming you are behind
one. this will result in a login prompt, the only problem is they
must supply the domain, username and password, unlike basic
authentication, where you can supply the domain for them. also
remember, if you are not using ssl, these credentials, from the
outside, will be passed in clear text.

"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae9259f88c8678b28b7813c@xxxxxxxxxxxxxxxxxxxx

I have a custom intranet that I have setup for our company. The
access is secured using IWA and when the site is access by server
name (QSERVER\internal) the domain user's credentials are passed
automatically and everything is fine. This is good because we
don't want internal users (people part of our domain) to have to
enter a user/pass.

However, one of the integrated ASP apps won't let us use an
internal name because this intranet needs to be more of an
extranet, so we have to use the FQDN. Our domains aren't the same
(.local for the QSERVER and a .com for the FQDN). I've run
"setspn -a host/www.oursite.com QSERVER" which I thought would
allow requests from this host header to be passed with IWA, but it
doesn't work.

Our goal is to have ALL of our users, whether they are inside the
office or outside, to use the same website address:
http://www.oursite.com/internal but the internal users not have to
enter a password, and all external users MUST enter one. Any
suggestions?

Server 2003
IIS6
web server is a DC
Thanks!
C




.

Relevant Pages

  • Re: A little help (kerberos, netbios, and SPN... oh my!)
    ... I was able to get it working with Intranet sites. ... this should allow the credentials to be passed. ... IWA enabled, instead of the netbios name, I am prompted for a U/P. ... this will result in a login prompt, ...
    (microsoft.public.inetserver.iis.security)
  • Re: A little help (kerberos, netbios, and SPN... oh my!)
    ... I added the site to IE's trusted list and tried the portion that has IWA enabled and it still asks for a U/P. ... this should allow the credentials to be passed. ... this will result in a login prompt, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Login Box is appearing. Can I stop It.
    ... domain credentials but if they are and those credentials are what you have ... > are prompted for login, they enter credentials and it lets them in. ... > want it to prompt them for login. ... If they add the site to trusted sites, ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Terminal Services Security Issue with Cached Credentials
    ... on a server and then tried connecting to it using cached credentials. ... the Vista client. ... is configured to always prompt for password as I was prompted for a ... You may also want to post in one of the Terminal Services newsgroups ...
    (microsoft.public.windows.server.security)
  • Re: How to deny access to domain shares from a workgroup computer
    ... If I take the example of Internet Explorer pass-through authentication: ... the authentication process is identical whether I am prompted and enter credentials, or whether my logged in credentials are passed-through ... It is just an authentication based on username and password; and authentication protocol designed to make it hard to intercept or decipher the authentication in transit; and a convenience mechanism for passing through under certain circumstances without an explicit prompt. ... By adding a prefix he is really saying "this version rather than that version of my account". ...
    (microsoft.public.windows.server.security)