IIS Windows Authentication : User of some domains in LDAP domain can't connect ( Invalid credentials ) , even if they part of Administrators UsersRSS

3 replies

Last post Sep 12, 2019 09:20 AM by Yuk Ding

  • IIS Windows Authentication : User of some domains in LDAP domain can't connect ( Invalid credenti...

    Sep 10, 2019 02:58 PM|a.famantanantsoa|LINK

    Hello guys , 

    I'm facing issues when connecting a certain user for certain in our LDAP/ Active directory domain .

    What I want is to deny access to  my websites for all users except some belonging to certain domain .

    To proceed , I have added the users domains to Administrators group or the specific user but it is not working . ( It is a bad practice but I want to force a little bit in order to understand it quickly 

    Note that that the user can't connect to the windows server as normal user via Remote Desktop Connection also I don't know why

    1)My basic question is : It is mandatory that in order to perform an Windows Authentication  via IIS , an user should have the right to connect to the windows server itself ( via RDP or whatever ) 

  • Re: IIS Windows Authentication : User of some domains in LDAP domain can't connect ( Invalid cred...

    Sep 11, 2019 04:21 AM|Yuk Ding|LINK

    Hi a.famantanantsoa,

    In order to access windows authentication with user from different domain, you need to add  domain to trusted relationship and set SPN for these user.

    https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

    You need to promise the domain would be used to authenticate Kerberos ticket.

    Best Regards,

    Jokies Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: IIS Windows Authentication : User of some domains in LDAP domain can't connect ( Invalid cred...

    Sep 11, 2019 09:08 AM|a.famantanantsoa|LINK

    Hello Yuk Ding , 

    Thanks for you replay .

    The domain i'am talking about is LDAP Domain , 

    For instance  : 

    OU=users,OU=Domain-A,DC=mycompany,DC=com


    OU=users,OU=Domain-B,DC=mycompany,DC=com

    User in LDAP domain-A can perfom windows aunthentication to IIS  but user in LDAP domain-B not 

    I'am new to SPN and domain trusts , sorry 

    Note that I'm not managing the LDAP controller . 

    Regards , 

    Andry 

  • Re: IIS Windows Authentication : User of some domains in LDAP domain can't connect ( Invalid cred...

    Sep 12, 2019 09:20 AM|Yuk Ding|LINK

    Hi a.famantanantsoa,

    Yes. MS ADDS belong to LDAP. You have to make sure the user in domain B has been set with Server principal name of your website's domain. Then user in domain B can be used to authenticate Kerberos ticket.

    It is also important for your website's domain to trust domain B. 

    Since we are not expert in  LDAP, if you need to know how to achieve this step by step. You could post your question to TechNet windows server forum.

    https://social.technet.microsoft.com/Forums/windowsserver/en-us/home?category=windowsserver

    Best Regards,

    jokies Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.