Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IIS using Integrated Authentication - Cross Forest Trust Issue

594 views
Skip to first unread message

mpriess

unread,
Feb 6, 2004, 8:35:40 AM2/6/04
to
Hello everyone...here is my issue:

When attempting to access a website on IIS6 we receive a dialog box to enter
username and password. If we enter a domain\username and password of an
account that is in the same forest that the web server is in...we are
authenticated fine and the web page comes up.

However, if, from the same machine we enter in an account (prefixed with the
correct domain name) from the trusted domain (an account that is not in the
same forest as the web server...but does have permissions on the web site
and is in the trusted domain) we are unable to get past the authentication
pop up dialog box.

Some other important info:
There is a one way trust in place. All other authentication to the trusting
domain is fine. So, this would lead me to believe it is specific to IIS.
Another web server has been brought up and we are receiving the same auth
issues. Sharepoint is running on this IIS server but the proper permission
have been given to the user we are attempting to authenticate with so we do
not believe this has anything to do with the problem. Also, the firewall
between both subnets is being monitored and no traffic related to the
authentication or web requests is being dropped.

The security event log on the web server shows the following: (the domain
name has been changed here)

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 2/6/2004
Time: 6:17:13 AM
User: NT AUTHORITY\SYSTEM
Computer: DAC-NMS
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: mpriess
Domain: dom123
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DAC3812
Status code: 0xC0000413
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.31.7.55
Source Port: 4200


Dmitrii Zakharov [MSFT]

unread,
Feb 17, 2004, 3:22:29 PM2/17/04
to

Couple remarks:

1. Do you use SPNEGO? If yes, why you are getting NTLM auth? That means
Kerberos doesn't work due to some misconfiguration?

2. Error code: 0xc0000413 - Logon Failure: The machine you are logging onto
is protected by an authentication firewall. The specified account is not
allowed to authenticate to the machine.


"mpriess" <mpr...@directalliance.com> wrote in message
news:OJMzdYL7...@TK2MSFTNGP10.phx.gbl...

0 new messages