Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Integrated Windows Authentication accross trusted domains

256 views
Skip to first unread message

Reginald Hopkins

unread,
Sep 20, 2002, 6:50:31 PM9/20/02
to
So I'm having trouble with Integrated Windows Authentication. I can't get my
website to allow access to anyone who is not a user on the machine.

Basically the setup is this:
1. Webserver (IIS) is in Domain1
2. IE only clients are in Domain2
3. Domain1 and Domain2 are trusted
4. My website is in ASP.NET
5. In the Webserver machine I've set up a local group that has as a member a
Domain2 group that includes all the users of Domain2
6. In the virtual directory properties of my website, (directory security
tab) I have enabled only the Integrated Windows Authentication.
7. In the Web.config file of my website I'm using the following...
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow roles="<local machine name>\<local group name from #5 above>"
/>
<allow roles="<domain of users>\<Domain Users group>" />
</authorization>
</system.web>
8. In the security tab of the properties on the actual folder that the
website files live in I've added the Internet Guest Account, my new group
from #5 above, and all the domain users from both domains. Having added
these accounts I've allowed them each to have Read & Execute access.


In this state, when ever a person from Domain2 goes to my website they get
the logon challenge dialog asking them to log in. When they enter valid
credentials the logon dialog just pops up again (for 3 successive times)
till they are finally denied access. On the other hand, I can go to the
website without the logon dialog and see my site just fine. But then my
account (from Domain2) is an administrator on the machine.

If I add a user from Domain2 to the webserver's Users group on my web server
then suddenly they have access to my website just like I want but they are
not supposed to have access to the machine so this is not really a viable
option for me. When I remove them from the Users group on the machine then
once again they cannot access my site.

What am I missing? I just want to allow access to everyone in the domain but
need them to be authenticated since I use their userid in my code.

I've already scoured the following information to no avail....
http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/print.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q308160
http://support.microsoft.com/default.aspx?scid=kb;EN-GB;Q168908
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q264921


Tim Greene

unread,
Dec 10, 2002, 2:22:34 PM12/10/02
to
Are the two domains in the same forest, or are we talking about NT domains?
If they're NT, then you'll need to have the trust relationship setup in
order for that to work. Also, make sure you're connecting to the web site
via a NetBIOS name and not the IP or FQDN. IE will prompt you for
credentials when connecting to an intranet site using the FQDN or IP.
What is the exact error you're seeing in the browser after trying to log in
for the 3rd time? Are your administrator accounts from domain 1 and domain
2 using the same account and password?

Sincerely,

Tim Greene MCSE, MCSA, MCP+I
IIS Newsgroup Support

Please do not send email directly to this alias. This is our online account
name for newsgroup participation only.

If you would like to open a support incident with Microsoft, call
1-800-936-5800

This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation.

0 new messages