all groups > iis security > may 2004 >
You're in the

iis security

group:

autherntication methods IIS 6


autherntication methods IIS 6 BJM
5/27/2004 11:56:08 PM
iis security:
Guys

I have a thorny problem which I hope someone can shed a little light on for
me.

I have an windows 2000 machine running a secured virtual directory (VD),
inasmuch as that the anonymous access has been disallowed for that VD.
Instead the VD is set to use integrated windows authentication, which works
beautifully when my users connect from a same domain (as the webserver)
machine whilst connected to the same physical LAN.

However, these users connect from the outside world using an OPENVPN
connection to a Linux server. Now, when these same users connect from the
outside, they cannot connect to the aforementioned VD, but here is the
kicker, I was getting frustrated one night and forgot to take home my laptop
power supply, needed to check some stuff from home (after flattening my
battery) so connected my personal PC to the VPN and jumped onto the network
at my office. The virtual directory served me all the content from the
secured VD after prompting me for a username and password.

So my issue is this, Microsoft states that security settings on the VD
should keep trying until it finds an authentication match, but, my domain
machines across the VPN are failing to connect to the VD properly and pass
through the credentials, whereas my non-domain personal machine seems to be
defaulting to digest authentication. Is this the case, or is it that the
domain machines will never try digest authentication unless I have it
enabled?

This is tearing me up as I have some stupid users who do not understand the
words: "It works fine on a citrix desktop - please connect to that for the
time being and call me every day...!Grr" Strangely the CEO is not that
upset - go figure.

Anyway

Can anyone help me with this - I am loathe just to click buttons on
production servers and could do with some pointers.

Regards

BJM


Re: autherntication methods IIS 6 Ken Schaefer
5/28/2004 3:07:32 PM
Hi,

When the server requires authentication, the server sends back a list of
supported authentication mechanisms (which are sent back depends on what you
have checked in the IIS Manager - if you never selected Digest, then the
server will never offer digest). The browser picks the first one on the list
that it supports (the server should send them back in order of strongest ->
weakest).

Rather than explain the whole thing, get the sample chapter from my book
(Securing IIS 6.0) - there's a link on my homepage:
http://www.adopenstatic.com/
It covers, in depth, how the various different authentication mechanisms
work, and what the requirements are to get the working.

If you find it useful it, please consider buying a copy :-) thanks.

Cheers
Ken



[quoted text, click to view]
: Guys
:
: I have a thorny problem which I hope someone can shed a little light on
for
: me.
:
: I have an windows 2000 machine running a secured virtual directory (VD),
: inasmuch as that the anonymous access has been disallowed for that VD.
: Instead the VD is set to use integrated windows authentication, which
works
: beautifully when my users connect from a same domain (as the webserver)
: machine whilst connected to the same physical LAN.
:
: However, these users connect from the outside world using an OPENVPN
: connection to a Linux server. Now, when these same users connect from the
: outside, they cannot connect to the aforementioned VD, but here is the
: kicker, I was getting frustrated one night and forgot to take home my
laptop
: power supply, needed to check some stuff from home (after flattening my
: battery) so connected my personal PC to the VPN and jumped onto the
network
: at my office. The virtual directory served me all the content from the
: secured VD after prompting me for a username and password.
:
: So my issue is this, Microsoft states that security settings on the VD
: should keep trying until it finds an authentication match, but, my domain
: machines across the VPN are failing to connect to the VD properly and pass
: through the credentials, whereas my non-domain personal machine seems to
be
: defaulting to digest authentication. Is this the case, or is it that the
: domain machines will never try digest authentication unless I have it
: enabled?
:
: This is tearing me up as I have some stupid users who do not understand
the
: words: "It works fine on a citrix desktop - please connect to that for the
: time being and call me every day...!Grr" Strangely the CEO is not that
: upset - go figure.
:
: Anyway
:
: Can anyone help me with this - I am loathe just to click buttons on
: production servers and could do with some pointers.
:
: Regards
:
: BJM
:
:
:

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages in the iis security group.
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn