IIS 7 and Above
IIS 10 authentication with 2 options
Last post Dec 03, 2019 11:14 AM by firstname.lastname@example.org
Nov 29, 2019 08:37 AMemail@example.com|LINK
iam Alexandr. Sorry with my english
Is it possible to implement:
There is a virtual machine, IIS 10, SQL server, Elma Server application is running on it
Windows authentication works under Kerberos protocol. Accordingly, domain users enter without entering a username / password. There was a need so that non-domain computers could enter.
For example, a user visits the site, has not passed Windows authentication, after which the login form for the Elma application opens.
In what situation is this needed?
If an employee-manager goes to present the product to the customer and he needs to go to our portal (which is published) so that there are no problems with the entrance.
Have you had any such cases?
Nov 29, 2019 02:20 PM|lextm|LINK
There was a need so that non-domain computers could enter.
What you really need is a gateway solution. Microsoft initially had Forefront Threat Management Gateway, but deprecated it. Now you should look for a third party replacement.
Dec 02, 2019 02:45 AM|Yuk Ding|LINK
Since Windows authentication works as an independent module in IIS pipeline, you can't inject another kind of authentication because if windows authentication fail, IIS will return 401.2 error without any other authentication logic.
There are two way to achieve your requirement.
Dec 03, 2019 03:42 AMfirstname.lastname@example.org|LINK
Thank you for reply
I apologize for the late reply, we had a day off and a holiday :)
You are right, indeed, if Windows authentication did not succeed, then there will be a 401 error
if you enable Windows and Forms authentication in IIS settings, you get a message that both methods do not work, in particular, forms authentication.
Of course I heard about TMG, but microsoft is not supported. I think that is not relevant
In general, there is something to think about. . .
Would you recommend something?
Dec 03, 2019 09:35 AM|Yuk Ding|LINK
Since windows authentication also could be used for external website as long as you register SPN for external domain name. What about create a specific user account for external client?
Dec 03, 2019 11:14 AMemail@example.com|LINK
External Authentication Not Configured
SPN for the external name in the properties of the user from whom the pool is launched. Do you mean this? if so, then SPN are registered.