Re: A little help (kerberos, netbios, and SPN... oh my!)

Hello Ken,

Thanks Ken. I was able to get it working with Intranet sites. The issue was that I was using a HOSTS file to map the domain that will be used in the future, and it did not seem to like that. I since then used DNS to change the name properly and it all functions. Thanks for all of your help everyone.

Craig

Hi,

Add it to the Intranet zone, not Trusted Sites. See:
http://support.microsoft.com/?id=258063

You will also be prompted if automatic logon fails because:
a) the currently logged on user does not have access
b) the configured authentication mechanism is failing (e.g. you are
using
Kerberos and you can't access the DC, or you are using NTLM but you
are
going through a proxy server, or HTTP Keep-Alives are not enabled)
Cheers
Ken
"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae9261c28c868de7b273470@xxxxxxxxxxxxxxxxxxxx

Hello Consultant,

I added the site to IE's trusted list and tried the portion that has
IWA enabled and it still asks for a U/P. Any other hints or tips?

well, internet explorer see's the fqdn as a non trusted internet
site and won't pass the credentials. try adding the fqdn as a
trusted site, this should allow the credentials to be passed.

"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae925f5b8c868463e11f41d@xxxxxxxxxxxxxxxxxxxx

I take that back, that isn't exact. When www.site.com is used with
IWA enabled, instead of the netbios name, I am prompted for a U/P.
When the netbios name is used there is no U/P prompted. (this is
all on the internal network) I need to be able to use the public
site name on the internal network and not get prompted for a
password. Externally since there is no connection for kerberos, I'm
sure it will fail over to NTLM and ask for a U/P. But why does the
netbios name work and authenticate but the full website name does
not?

Hello Consultant,

I'm sorry I wasn't more clear. When I referenced IWA, I was
saying that the site IS using integrated windows auth. However,
from outside using a non NETBIOS name (FQDN) the password isn't
accepted. Thanks for your help!

Craig

set the site to windows integrated authentication, this will
allow the local users credentials to pass to the site. the
outside users credentials will not pass thru, because they are
not logged into the domain and are outside the firewall, assuming
you are behind one. this will result in a login prompt, the only
problem is they must supply the domain, username and password,
unlike basic authentication, where you can supply the domain for
them. also remember, if you are not using ssl, these credentials,
from the outside, will be passed in clear text.

"Craig Carrigan" <craig@xxxxxxxxxxxxxxxxxxx> wrote in message
news:46a1ae9259f88c8678b28b7813c@xxxxxxxxxxxxxxxxxxxx

I have a custom intranet that I have setup for our company. The
access is secured using IWA and when the site is access by
server name (QSERVER\internal) the domain user's credentials are
passed automatically and everything is fine. This is good
because we don't want internal users (people part of our domain)
to have to enter a user/pass.

However, one of the integrated ASP apps won't let us use an
internal name because this intranet needs to be more of an
extranet, so we have to use the FQDN. Our domains aren't the
same (.local for the QSERVER and a .com for the FQDN). I've run
"setspn -a host/www.oursite.com QSERVER" which I thought would
allow requests from this host header to be passed with IWA, but
it doesn't work.

Our goal is to have ALL of our users, whether they are inside
the office or outside, to use the same website address:
http://www.oursite.com/internal but the internal users not have
to enter a password, and all external users MUST enter one. Any
suggestions?

Server 2003
IIS6
web server is a DC
Thanks!
C


.

Relevant Pages

  • Re: A little help (kerberos, netbios, and SPN... oh my!)
    ... Add it to the Intranet zone, not Trusted Sites. ... I added the site to IE's trusted list and tried the portion that has IWA ... this should allow the credentials to be passed. ... this will result in a login prompt, ...
    (microsoft.public.inetserver.iis.security)
  • Re: A little help (kerberos, netbios, and SPN... oh my!)
    ... I added the site to IE's trusted list and tried the portion that has IWA enabled and it still asks for a U/P. ... this should allow the credentials to be passed. ... this will result in a login prompt, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Terminal Services Security Issue with Cached Credentials
    ... on a server and then tried connecting to it using cached credentials. ... the Vista client. ... is configured to always prompt for password as I was prompted for a ... You may also want to post in one of the Terminal Services newsgroups ...
    (microsoft.public.windows.server.security)
  • Re: HTTP 500 Error - Local Security Authority Cannot be contacted
    ... · If you are immediately brought to the error screen (without being ... and those credentials are no longer valid. ... When I was seeing this error with IE, I was able to authenticate ... Disabling IWA from the server allows me to authenticate (i.e. using Basic ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: How to deny access to domain shares from a workgroup computer
    ... If I take the example of Internet Explorer pass-through authentication: ... the authentication process is identical whether I am prompted and enter credentials, or whether my logged in credentials are passed-through ... It is just an authentication based on username and password; and authentication protocol designed to make it hard to intercept or decipher the authentication in transit; and a convenience mechanism for passing through under certain circumstances without an explicit prompt. ... By adding a prefix he is really saying "this version rather than that version of my account". ...
    (microsoft.public.windows.server.security)