Well, it seems that IE zones were involved in my weird authentication
issues, after all.
I didn't understand *really* what was happening, or why one server behaved
differently from the other, however I was able to solve the problem by
adding "*.mydomain.com" to the Local Intranet sites in IE. I did this at the
domain level, and now integrated authentication works on both server. But
I'm quite disappointed I wasn't able to discover what happened... and I'm
having even stranger authentication troubles now.
Ok, here's the situation: my web server has both integrated and basic
authentication turned on, since it needs to be accessible from both the
intranet and the Internet. If I deactivate integrated authentication
(leaving only basic activated), everything works fine. As soon as I activate
it, there is absolutely *no way* to access it using basic authentication,
i.e. from an Internet Explorer used by anyone that's not a domain user. The
login request box pops up, and again no userid/password couple is ever
accepted. It seems just like integrated authentication, when active, is
considered by the web server to be the *only* authentication method
available (but basic is active, too). This is exactly the same problem that
was happening before: if integrated authentication is not available, basic
authentication doesn't work. Howewer, on my other web server, all is fine:
when both are selected, if integrated authentication can't be used (i.e.
because I'm accessing the pages being an external user), the basic one asks
me for userid/password and access is granted.

There are also other weird things about all of this: when I access my
webserver (the troubled one) and only basic authentication is selected, the
login box says I'm accessing www or www.mydomain.com, based on how I
requested the page (http://www or http://www.mydomain.com). I simply put in
userid and password (without specifying the domain), and it validates them
against the domain, since this is what it's configured to do.
When I enable integrated authentication (and basic one, too), the login box
says "connecting to frontend.mydomain.com" (which is the true FQDN of the
server); I put in my login name and password, and then the box comes back
re-asking for login, but now it shows the (wrong, in its viewpoint) username
I put in before as FRONTEND\username, acting as it tried to validate it
against the local user database instead of the domain. If I put in a full
username (MYDOMAIN\username), however, this time the box comes back showing
it as it was entered. But, again, no access is granted.
Since I'm trying to access it from the Internet, using a local user on a
test computer, this happens independently of how I reach it (www or
www.mydomain.com).

When using the other webserver, configured exactly in the same way (allowing
both integrated and basic authentication), accessing it from the very same
test computer, the login box pops up, I enter my userid and password
(without domain), and access is granted. And no integrated authentication is
used, since 1) this is heppening through an Internet connection, 2) the web
browser correctly recognizes the site as an Internet one and 3) the user
account I'm using is definitely *not* a domain user.

Could all of this be happening because my second webserver is also a domain
controller, so it (correctly) validates users against the domain instead of
the local user db ? But thee, why is this happening on the first server even
when giving a full userid (MYDOMAIN\username) ? And why all of this
weirdness happens only when I turn on both authentication methods ?

I'm really confused about this, every day more... please help.

Thanks

Massimo

"Massimo" <barone@mclink.it> ha scritto nel messaggio
news:eWktt%235fDHA.1828@TK2MSFTNGP10.phx.gbl...

[quoted text, click to view]

I've found something on
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sec_auth_digestauth.asp
that seems to be related to this issue:

[quoted text, click to view]

This is exactly the behaviour I'm getting... the only difference is I'm not
using digest authentication, but basic one!
Does this have any relevance ?

Massimo

Hi,

A couple of quick points:

a) If you enable both Integrated and Basic, then the webserver sends back
the Negotiate HTTP header, and headers indicating which authentication
schemes it supports. The browser selects the "most secure" system that it
supports. So, if you enable both, and you use IE, then Integrated will be
used. On the other hand, if you used Netscape or Mozilla, then Basic will be
used, since those browsers don't support Integrated.

b) If you're running IIS on a DC, then it can only authenticate against the
domain, since there is no local user accounts database on a DC

c) If you enter a user as Username, when using Integrated, it seems to come
back with Server\Username, rather than Domain\Username. I'm not really sure
why that is. Maybe someone else can enlighten us. I've always had to tell my
users to logon as either Domain\Username or username@domain.whatever

d) Something odd seems to be up between the webserver, and the DC. Is there
anything in the Event Logs at all? Do you have logon failure auditing
enabled?

Cheers
Ken

[quoted text, click to view]
: Well, it seems that IE zones were involved in my weird authentication
: issues, after all.
: I didn't understand *really* what was happening, or why one server behaved
: differently from the other, however I was able to solve the problem by
: adding "*.mydomain.com" to the Local Intranet sites in IE. I did this at
the
: domain level, and now integrated authentication works on both server. But
: I'm quite disappointed I wasn't able to discover what happened... and I'm
: having even stranger authentication troubles now.
: Ok, here's the situation: my web server has both integrated and basic
: authentication turned on, since it needs to be accessible from both the
: intranet and the Internet. If I deactivate integrated authentication
: (leaving only basic activated), everything works fine. As soon as I
activate
: it, there is absolutely *no way* to access it using basic authentication,
: i.e. from an Internet Explorer used by anyone that's not a domain user.
The
: login request box pops up, and again no userid/password couple is ever
: accepted. It seems just like integrated authentication, when active, is
: considered by the web server to be the *only* authentication method
: available (but basic is active, too). This is exactly the same problem
that
: was happening before: if integrated authentication is not available, basic
: authentication doesn't work. Howewer, on my other web server, all is fine:
: when both are selected, if integrated authentication can't be used (i.e.
: because I'm accessing the pages being an external user), the basic one
asks
: me for userid/password and access is granted.
:
: There are also other weird things about all of this: when I access my
: webserver (the troubled one) and only basic authentication is selected,
the
: login box says I'm accessing www or www.mydomain.com, based on how I
: requested the page (http://www or http://www.mydomain.com). I simply put
in
: userid and password (without specifying the domain), and it validates them
: against the domain, since this is what it's configured to do.
: When I enable integrated authentication (and basic one, too), the login
box
: says "connecting to frontend.mydomain.com" (which is the true FQDN of the
: server); I put in my login name and password, and then the box comes back
: re-asking for login, but now it shows the (wrong, in its viewpoint)
username
: I put in before as FRONTEND\username, acting as it tried to validate it
: against the local user database instead of the domain. If I put in a full
: username (MYDOMAIN\username), however, this time the box comes back
showing
: it as it was entered. But, again, no access is granted.
: Since I'm trying to access it from the Internet, using a local user on a
: test computer, this happens independently of how I reach it (www or
: www.mydomain.com).
:
: When using the other webserver, configured exactly in the same way
(allowing
: both integrated and basic authentication), accessing it from the very same
: test computer, the login box pops up, I enter my userid and password
: (without domain), and access is granted. And no integrated authentication
is
: used, since 1) this is heppening through an Internet connection, 2) the
web
: browser correctly recognizes the site as an Internet one and 3) the user
: account I'm using is definitely *not* a domain user.
:
: Could all of this be happening because my second webserver is also a
domain
: controller, so it (correctly) validates users against the domain instead
of
: the local user db ? But thee, why is this happening on the first server
even
: when giving a full userid (MYDOMAIN\username) ? And why all of this
: weirdness happens only when I turn on both authentication methods ?
:
: I'm really confused about this, every day more... please help.
:
: Thanks
:
: Massimo
:

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> ha scritto nel messaggio
news:%23z3JtmLgDHA.2820@tk2msftngp13.phx.gbl...

[quoted text, click to view]

Yes, that's right. But since I'm accessing it from outside the intranet (and
IE confirms it's treating the URL in the Internet zone), integrated
authentication won't be used; it wouldn't succeed, anyway, because the user
is not a domain one.

[quoted text, click to view]

This is obvious :-)
But I told IIS to use my domain as the default logon domain for basic
authentication, so why is it using the local user DB ?
And why is it using the local DB even when I login as MYDOMAIN\username ?

[quoted text, click to view]

I really hope someone can...

[quoted text, click to view]

The is something in the event log, but I still didn't manage to test this
carefully (have been busy a lot lately).

Massimo

[quoted text, click to view]
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> ha scritto nel messaggio
: news:%23z3JtmLgDHA.2820@tk2msftngp13.phx.gbl...
:
: > A couple of quick points:
: >
: > a) If you enable both Integrated and Basic, then the webserver sends
back
: > the Negotiate HTTP header, and headers indicating which authentication
: > schemes it supports. The browser selects the "most secure" system that
it
: > supports. So, if you enable both, and you use IE, then Integrated will
be
: > used. On the other hand, if you used Netscape or Mozilla, then Basic
will
: be
: > used, since those browsers don't support Integrated.
:
: Yes, that's right. But since I'm accessing it from outside the intranet
(and
: IE confirms it's treating the URL in the Internet zone), integrated
: authentication won't be used; it wouldn't succeed, anyway, because the
user
: is not a domain one.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sorry?

You can use Integrated Authentication in the Internet Zone...

And you can authenticate against both Domains -or- Local user accounts.

I use Integrated Authenticatin all the time to connect to Outlook Web Access
when I'm out of the office, and I authenticate using my domain credentails
(Domain\Username)

Cheers
Ken

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> ha scritto nel messaggio
news:%23KUEzMXgDHA.2352@TK2MSFTNGP09.phx.gbl...

[quoted text, click to view]

Ok, why is my username and password not accepted by IIS, then ?

Massimo