IIS 7 and Above
IIS Windows Authentication : User of some domains in LDAP domain can'...
Last post Sep 12, 2019 09:20 AM by Yuk Ding
Sep 10, 2019 02:58 PM|a.famantanantsoa|LINK
Hello guys ,
I'm facing issues when connecting a certain user for certain in our LDAP/ Active directory domain .
What I want is to deny access to my websites for all users except some belonging to certain domain .
To proceed , I have added the users domains to Administrators group or the specific user but it is not working . ( It is a bad practice but I want to force a little bit in order to understand it quickly
Note that that the user can't connect to the windows server as normal user via Remote Desktop Connection also I don't know why
1)My basic question is : It is mandatory that in order to perform an Windows Authentication via IIS , an user should have the right to connect to the windows server itself ( via RDP or whatever )
Sep 11, 2019 04:21 AM|Yuk Ding|LINK
In order to access windows authentication with user from different domain, you need to add domain to trusted relationship and set SPN for these user.
You need to promise the domain would be used to authenticate Kerberos ticket.
Sep 11, 2019 09:08 AM|a.famantanantsoa|LINK
Hello Yuk Ding ,
Thanks for you replay .
The domain i'am talking about is LDAP Domain ,
For instance :
User in LDAP domain-A can perfom windows aunthentication to IIS but user in LDAP domain-B not
I'am new to SPN and domain trusts , sorry
Note that I'm not managing the LDAP controller .
Sep 12, 2019 09:20 AM|Yuk Ding|LINK
Yes. MS ADDS belong to LDAP. You have to make sure the user in domain B has been set with Server principal name of your website's domain. Then user in domain B can be used to authenticate Kerberos ticket.
It is also important for your website's domain to trust domain B.
Since we are not expert in LDAP, if you need to know how to achieve this step by step. You could post your question to TechNet windows server forum.