Re: Change in ASP.Net authentication between Win2000 and Win2003
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 04/02/05
- Next message: Roger Abell: "Re: default shares"
- Previous message: Steven L Umbach: "Re: Windows 2000 DC Security"
- In reply to: Craig Banks: "Change in ASP.Net authentication between Win2000 and Win2003"
- Next in thread: Craig Banks: "Re: Change in ASP.Net authentication between Win2000 and Win2003"
- Reply: Craig Banks: "Re: Change in ASP.Net authentication between Win2000 and Win2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Apr 2005 19:22:26 -0800
> In researching this, I've followed a wandering path of Kerberos
> versus challenge/response authentication. However, nothing in
> the spotty Microsoft online documentation explains why IIS 5
> running on Windows 2000 behaves differently than IIS 6 on
> Windows 2003. In fact, the documentation leads one to
> believe they should behave identically.
I'd like to understand what you find spotty about the online documentation
for the issue -- because we do take documentation seriously. I am frustrated
by the fact that it is not easy for customers to report issues with
documentation clarity because it just artificially raises support costs and
decrease customer self-help.
The reason why there is no documentation explaining why IIS5 behaves
differently than IIS6 on this issue is because it is supposed to behave
identically.
I think the biggest thing that is "unspoken" is the fact that "integrated
Windows authentication" is really not one particular authentication
mechanism (like Basic) but rather a family of different authentication
protocols, negotiable by the client, and each protocol has differences in
terms of security attributes and behavior. These differences frequently
surface as extra login dialog boxes or failure, depending on configuration
that is for the most part beyond IIS -- hence, you will likely never find an
IIS document describing the differences because from the IIS perspective, we
just call into a Windows function with a security blob, and it eventually
says success/failure and IIS returns 200/401 accordingly. The external
perception is that it automagically works, but sometimes it can fail and
then it is not clear why.
We realize that it is hard to link all the documentation of all the
interacting parts, so we have created a tool, AuthDiag, which tries to
diagnose some of thes authentication failures and provide more runtime
information.
http://www.microsoft.com/downloads/details.aspx?FamilyId=E90FE777-4A21-4066-BD22-B931F7572E9A&displaylang=en
What it looks like is that you told IE to not use Kerberos, and then the
issues cleared up. That usually suggests that maybe Kerberos wasn't
configured/working to begin with; you just never noticed it until your
webserver started using it. Were the IIS5 and IIS6 machines standalone or a
part of a domain?
> For our web sites where directory security is set to integrated
> windows authentication, users already authenticated to our
> network are often challenged with a logon screen when trying
> to access ASP.Net web pages.
Are these users running browsers that automatically pre-authenticate to the
web server with their user credentials over integrated windows
authentication?
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Craig Banks" <ban01@co.henrico.va.us> wrote in message news:%23LqRmFtNFHA.2880@TK2MSFTNGP10.phx.gbl... We are in the process of migrating an intranet web server from a Windows 2000 box to a Windows 2003 box. In migrating OSs and from IIS 5 to IIS 6, we've noticed a significant difference in how Windows integrated security works with our ASP.Net web pages. For our web sites where directory security is set to integrated windows authentication, users already authenticated to our network are often challenged with a logon screen when trying to access ASP.Net web pages. To make a very long story short, we've discovered the work-around is to uncheck "Enable Integrated Window Authentication" under IE 6's advanced internet options (checked on by default with XP). Contrary to what the label on this checkbox option implies, unchecking it still passes authentication credentials from the client to the server and everyone's happy. In the old Windows 2000/IIS 5 world, checking or unchecking this box makes no difference. In researching this, I've followed a wandering path of Kerberos versus challenge/response authentication. However, nothing in the spotty Microsoft online documentation explains why IIS 5 running on Windows 2000 behaves differently than IIS 6 on Windows 2003. In fact, the documentation leads one to believe they should behave identically. One further issue. When logged onto the Windows 2003 server, if I log onto an ASP.Net page with IE 6 using "localhost" in the address everything's fine. However, if I use the DNS name (e.g. http://myservername/myaspdotnetpage.aspx) I'll get the login prompt. In this case, checking or unchecking the "Enable Integrated Window Authentication" option makes no difference. On our Windows 2000/IIS 5 box there is no challenge for a logon. What gives? Thanks in advance for your help!
- Next message: Roger Abell: "Re: default shares"
- Previous message: Steven L Umbach: "Re: Windows 2000 DC Security"
- In reply to: Craig Banks: "Change in ASP.Net authentication between Win2000 and Win2003"
- Next in thread: Craig Banks: "Re: Change in ASP.Net authentication between Win2000 and Win2003"
- Reply: Craig Banks: "Re: Change in ASP.Net authentication between Win2000 and Win2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
