IIS/WS2003: Issue, username set to Guest instead of client usernam
dom
I have an issue with IIS 6 on Windows Server 2003 SP2, on something that is
working on Windows XP, IIS5.
My users are coming from a different domain, with no trust relationship.
I need all users to have access to a tomcat application. However, I need
their usernames.
The client are running IE, with the web site in their trusted list, and have
IE configured to send credentials via NTLM.
So, I need IIS to accept users, coming from a defined subnet, has long as
they use NTLM to access. Then pass the username to the application.
So far, all the users have access, the NTLM challenge is working fine.
However, the username passed to the application is 'Guest' when the user is
unknown by my server.
I have made similar configuration on a Windows XP with IIS 5, and the
username is passed.
Can you help me figure out what I need to configure differently on Windows
Server 2003/IIS 6, so the application gets the client username?
To troubleshoot this I used a brand new installation of Windows Server
2003/IIS 6 to be as close as possible to a default configuration.
I created virtual directory called 'webtest', place into this directory a
basic html file: index.htm
Then, selected 'Windows Authentication' for the webtest directory, and add
read permission to 'Everyone' on that directory. I needed to Enable 'Guest
account' in the local policy settings.
With this config, any user accessing the site is able to access the page
from any domain or workgroup. That is what I needed, so I am happy about
this.
But if I look into IIS logs, I see that the cs-username is <my server
hostname>\Guest.
When I need to have <my server hostname>\<client username>
Why do I have a different behavior with Windows XP/II 5?
How can I configure Windows Server 2003/IIS 6 to present the client username
instead of 'Guest' and still let everyone access?
Thanks
David Wang
I seriously doubt that what you are doing works on a standard XP/IIS5
machine, and here is why.
NTLM Authentication sends a HASH of the username/password to the
server. The real username/password never goes over the wire. That NTLM
HASH is received by IIS, who has to forward it to its Domain
Controller to decrypt and determine the actual user name. You said
that there is no trust relationship for these external users, so there
is nothing in IIS's Domain Controller to decrypt and provide the
actual user name. And since NTLM doesn't send the username over, it is
a real mystery how your tomcat application can get a username from an
NTLM hash.
I really suspect that your authentication scheme does not work the way
you are thinking. You may have configured NTLM in IIS, but you also
had something else like Basic authentication or some custom
authentication module that you install on XP/IIS5, where the username
is passed along. And you had a custom module which could forge the
username field and use Anonymous access.
In any case, the behavior you describe is not part of any standard nor
supported authentication protocol in any version of Windows. You will
not be able to just configure any standard features of Windows/IIS to
get your desired behavior. Using custom modules, yes, but you will
have to figure that out.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//