IIS 7 and Above
IIS authentication issue with "external clients"
Last post May 17, 2012 04:32 AM by Lloydz
May 13, 2012 08:21 PM|shelterin|LINK
"Bad news", one of our web servers had to be renewed, so we came to use IIS7.
The web site is using both :
I can't figure out how to deal with this issue, digest auth seems to work and send the domain name, but it repeatedly asks for the credentials, AND kills the SSO (probably a different issue, it's just to let you know).
Is there a way to "force" teh external PCs that aren't in the domain to use the domain which is (probably) sent by the server ?
Thanks in advance,
The server sends the domain during the NTLM exchange (trace from wireshark)
Target Name: OBFUSCATED.LOCAL
But my IE couldn't care less...
May 14, 2012 08:41 AMemail@example.com|LINK
Are they logging in with a domain\username format or username@domainname format? Tht should bypass their default domain.
May 14, 2012 09:42 AM|shelterin|LINK
domain\username works, but we want them to only use their username without the domain name in any way
May 17, 2012 04:32 AM|Lloydz|LINK
According to your description, it seems windows authentication is the authentication method being used. Here's the direct quote from
Orders of precedence:When the browser makes a request, it always considers the first request to be Anonymous. Therefore, it does not send any credentials. If the server does not accept Anonymous or if the Anonymous user account set on
the server does not have permissions to the file being requested, the IIS server responds with an "Access Denied" error message and sends a list of the authentication types that are supported by using one of the following scenarios:
So this can explain why you need to specify domain name for authentication even you have specified default realm in basic authentication settings. To use basic authentication, you will need to disable windows authentication for your site, or format as domainname\username
Hope this helps, thanks.