"Bad news", one of our web servers had to be renewed, so we came to use IIS7.
The web site is using both :
"windows authentication" on an HTTPS URL for internal users and SSO. Works fine
"basic authentication" on the HTTPS URL for external users, default domain realm is set to the local domain. Issue...
The external PCs that are already in the domain use the default domain like a charm in IE when the users are asked for their credentials.
The external PCs that aren't in the domain, use their own "hostname" as the default domain, so their login doesn't work.
I can't figure out how to deal with this issue, digest auth seems to work and send the domain name, but it repeatedly asks for the credentials, AND kills the SSO (probably a different issue, it's just to let you know).
Is there a way to "force" teh external PCs that aren't in the domain to use the domain which is (probably) sent by the server ?
Thanks in advance,
[EDIT]
The server sends the domain during the NTLM exchange (trace from wireshark)
According to your description, it seems windows authentication is the authentication method being used. Here's the direct quote from
this KB:
Orders of precedence:When the browser makes a request, it always considers the first request to be Anonymous. Therefore, it does not send any credentials. If the server does not accept Anonymous or if the Anonymous user account set on
the server does not have permissions to the file being requested, the IIS server responds with an "Access Denied" error message and sends a list of the authentication types that are supported by using one of the following scenarios:
If Windows Integrated is the only supported method (or if Anonymous fails), then the browser must support this method to communicate with the server. If this fails, the server does not try any of the other methods.
If Basic is the only supported method (or if Anonymous fails), then a dialog box appears in the to get the credentials, and then passes these to the server. It attempts to send the credentials up to three times. If these all fail, the browser does not
connect to the server.
If both Basic and Windows Integrated are supported, the browser determines which method is used. If the browser supports Kerberos or Windows NT Challenge/Response, it uses this method. It does not fall back to Basic. If Windows NT Challenge/Response
and Kerberos are not supported, the browser uses Basic, Digest, or Fortezza if it supports these. The order of precedence here is Basic, Digest, and then Fortezza.
So this can explain why you need to specify domain name for authentication even you have specified default realm in basic authentication settings. To use basic authentication, you will need to disable windows authentication for your site, or format as domainname\username
is required.
shelterin
2 Posts
IIS authentication issue with "external clients"
May 14, 2012 12:21 AM|LINK
Hi,
"Bad news", one of our web servers had to be renewed, so we came to use IIS7.
The web site is using both :
I can't figure out how to deal with this issue, digest auth seems to work and send the domain name, but it repeatedly asks for the credentials, AND kills the SSO (probably a different issue, it's just to let you know).
Is there a way to "force" teh external PCs that aren't in the domain to use the domain which is (probably) sent by the server ?
Thanks in advance,
[EDIT]
The server sends the domain during the NTLM exchange (trace from wireshark)
Target Name: OBFUSCATED.LOCAL
But my IE couldn't care less...
jeff@zina.co...
3379 Posts
MVP
Moderator
Re: IIS authentication issue with "external clients"
May 14, 2012 12:41 PM|LINK
Are they logging in with a domain\username format or username@domainname format? Tht should bypass their default domain.
Jeff
shelterin
2 Posts
Re: IIS authentication issue with "external clients"
May 14, 2012 01:42 PM|LINK
domain\username works, but we want them to only use their username without the domain name in any way
Lloydz
2335 Posts
Microsoft
Re: IIS authentication issue with "external clients"
May 17, 2012 08:32 AM|LINK
According to your description, it seems windows authentication is the authentication method being used. Here's the direct quote from this KB:
Orders of precedence:When the browser makes a request, it always considers the first request to be Anonymous. Therefore, it does not send any credentials. If the server does not accept Anonymous or if the Anonymous user account set on the server does not have permissions to the file being requested, the IIS server responds with an "Access Denied" error message and sends a list of the authentication types that are supported by using one of the following scenarios:
So this can explain why you need to specify domain name for authentication even you have specified default realm in basic authentication settings. To use basic authentication, you will need to disable windows authentication for your site, or format as domainname\username is required.
Hope this helps, thanks.