Re: Windows Integrated and the domain name

Microsoft has already optimized your scenario. If you see the popup
dialog, it either means you did not configure your Domain properly, or
you did not configure the browser to auto-login properly.

In domain scenarios, IE will automatically login using the user's
credentials (either local or domain, whichever is more relevant) to
the server that its security zones allow.

This completely automates and optimizes the manual "innovations" of
Firefox that you are talking about. If user wants to login, they login
as themselves by default, with or without domain is magically
determined. Users never bother with putting DOMAIN\ in front of their
usernames nor do they need to be pre-filled -- how insecure! Is
Firefox really doing that?

So, pardon me for being blunt, but I just don't see Microsoft creating
a poor user experience, nor do I see the Firefox experience as
"better". I simply see your domain administrators misconfiguring and
creating a poor user experience, and you are strangely "blaming"
Microsoft and not the administrators for not improving the scenario.
To make it more amusing, you are also holding up the Firefox "hack" as
the desired solution...


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Sep 18, 8:04 am, "super1" <superbrownbro...@xxxxxxxxxxxxx> wrote:
Configuring the web clients is not an option with such a diverse and large
organization.
It seems Microsoft could do something to improve this scenario. Firefox
actually works fine when the user does not provide the domain information.
Something even so simple as a domain field they could fill out. Users just
aren't familiar with putting DOMAIN\ in front of their usernames.
No matter how you look at it, it creates a poor user experience.

"David Wang" <w3.4...@xxxxxxxxx> wrote in message

news:1190062151.083967.82030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



On Sep 17, 10:56 am, "super1" <superbrownbro...@xxxxxxxxxxxxx> wrote:
Windows Integrated authentication works great, but when it fails (because
the user doesn't have the site in the intranet sites for example) they
are
prompted for credentials. Unfortunatly, instead of defaulting to DOMAIN\
it
is COMPPUTER\ and of course that never works.

Why in the world would you want this domain based service to default to
the
local machine SAM? Anyway, how can I set the default to be DOMAIN\ when
the
user does not provide the domain information?

This seems like a silly default setting to me.

Actually, the problem has nothing to do with "defaults". Setting
defaults to be DOMAIN\ is not the solution.

Windows Integrated authentication does NOT allow you to set the
default DOMAIN. Domain information is encrypted inside the actual
authentication token/handshake and cannot be altered by the server
(unlike Basic authentication, which allows this default because it
passes the username/password around). Thus, when you see COMPUTER
\username, that is actually caused by the client and has nothing to do
with the server.

Now, why would the client do this? Well, by default, the client will
automatically authenticate with the current logged-in credentials
(domain credentials if you're logged on as such) to websites that it
is configured to auto-login. Intranet websites are one such category.

Thus, when you see the browser pop up COMPUTER\username, it means that
it's either already tried domain credentials and failed, or it is
going to a website that it is not allowed to auto-login and it has no
idea what the "domain" is. Seems perfectly reasonable to me. If you
want details, go look at the raw HTTP interactions and the answer is
clear.

If you want to avoid login prompts, then please properly configure
your web clients.

Don't blame the protocol or deride the "default" settings because they
have nothing to do with the issue. Lots of people don't even have this
issue, so the problem is clearly with this specific deployment's
configuration.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: Exchange Password
    ... Do not allow storage of credentials or .NET Passports for ... Microsoft CSS Online Newsgroup Support ... |> Technically speaking, whenever you open the mailbox on Exchange server, ... if the local account uses the same ...
    (microsoft.public.windows.server.sbs)
  • Re: Password Expiration
    ... > credential issue, it did not occur on the SBS server, it will also occur ... > Do not allow storage of credentials or .NET Passports for network ... > 244474 How to force Kerberos to use TCP instead of UDP in Windows Server ... > package in Microsoft Windows Server 2003. ...
    (microsoft.public.windows.server.sbs)
  • Re: Critical Errors in Security Log
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... |> Do not allow storage of credentials or .NET Passports for network ... Set Kerberos to use TCP ...
    (microsoft.public.windows.server.sbs)
  • RE: munged rendering in Firefox ASP.NET 2.0
    ... layout is what you've seen in FireFox. ... Microsoft Online Support ... The masterpage contains searching capabilities for the gridview. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Bill Gates buying into Fred Gitelmans Bridge Base Online bridge server? (Response - longer v
    ... Microsoft got to where they are based on products which you seem not to ... "inferior" products on people thru market dominance. ... Firefox because you already know this I assume) and under constant ... before you go around condemning "poor programming" in big capital ...
    (rec.games.bridge)