|
|
You're in the
iis security
group:Standalone IIS Server prompts for authentication when using Domain Anon User Acct
iis security:
I'm having some trouble with getting my IIS server working correctly with anonymous users. Current we have an IIS server sitting in the DMZ that is not part of the internal Windows domain which needs to access Active Directory. To gain access to Active Diretory I've changed the Anonymous User Account under IIS to a domain account. However this causes one to be prompted to authenticate as soon as you try to access the website on the IIS server. For testing purposes I added the IIS server to the same domain that it would be accessing and I no longer got prompted to authenticate when accessing the website. This isn't a NTFS permission problem as far as I can tell since the web application resides in a directory giving Everybody permission to access it. I read that Log on Locally might be necessary, but after giving the domain account (the same that IIS is running as) permission to logon locally I still get prompted for authentication. The desired result is for the standalone IIS server to have access to Active Directory without needing any type of authentication by the user other than at the application level. Any ideas on what could be causing anonymous users being prompted for Windows authentication?
Hi Miguel,
Can you explain a bit more? Is this server member of domain or not? If it is a member of domain, did you open necessary TCP and UDP ports between your IIS server in DMZ and your active directory? Did you change DNS configuration (under TCP/IP properties) in IIS server so that it point to your active directory DNS? In user authentication prompt did you try entering domain_name\username where domain_name is NetBIOS name of your domain and username is account created in your domain. Mike [quoted text, click to view] "Miguel" <ihaveblint@gmail.com> wrote in message news:393251a5.0409300707.7a3af05f@posting.google.com... > Hello all, > > I'm having some trouble with getting my IIS server working > correctly with anonymous users. Current we have an IIS server sitting > in the DMZ that is not part of the internal Windows domain which needs > to access Active Directory. To gain access to Active Diretory I've > changed the Anonymous User Account under IIS to a domain account. > However this causes one to be prompted to authenticate as soon as you > try to access the website on the IIS server. For testing purposes I > added the IIS server to the same domain that it would be accessing and > I no longer got prompted to authenticate when accessing the website. > This isn't a NTFS permission problem as far as I can tell since the > web application resides in a directory giving Everybody permission to > access it. I read that Log on Locally might be necessary, but after > giving the domain account (the same that IIS is running as) permission > to logon locally I still get prompted for authentication. > > The desired result is for the standalone IIS server to have access > to Active Directory without needing any type of authentication by the > user other than at the application level. > > Any ideas on what could be causing anonymous users being prompted > for Windows authentication? > > > Thanks!
Hi Miha,
The IIS server is not part of a domain. For testing purposes I made an exception and allowed all traffic from this IIS server to all DCs to see if this was a firewall issue however that still didn't work. As mentioned, I only get prompted for Windows Authentication when the IIS server is not a member of the domain, however if part of the domain one no longer gets prompted. This alone should rule out any firewall/network level issues. The problem isn't that I'm failing to authenticate when prompted, but rather why I'm being asked to authenticate at all as an anonymous user. I realize some would wonder why I don't keep my IIS server in the Domain - I prefer to keep my DMZ servers standalone. Thanks for your assistance, Miguel [quoted text, click to view] "Miha Pihler" <mihap-news@atlantis.si> wrote in message news:<#8Bj0jwpEHA.1300@TK2MSFTNGP12.phx.gbl>...
> Hi Miguel, > > Can you explain a bit more? Is this server member of domain or not? If it is > a member of domain, did you open necessary TCP and UDP ports between your > IIS server in DMZ and your active directory? Did you change DNS > configuration (under TCP/IP properties) in IIS server so that it point to > your active directory DNS? > > In user authentication prompt did you try entering > > domain_name\username > > where domain_name is NetBIOS name of your domain and > username is account created in your domain. > > Mike > > "Miguel" <ihaveblint@gmail.com> wrote in message > news:393251a5.0409300707.7a3af05f@posting.google.com... > > Hello all, > > > > I'm having some trouble with getting my IIS server working > > correctly with anonymous users. Current we have an IIS server sitting > > in the DMZ that is not part of the internal Windows domain which needs > > to access Active Directory. To gain access to Active Diretory I've > > changed the Anonymous User Account under IIS to a domain account. > > However this causes one to be prompted to authenticate as soon as you > > try to access the website on the IIS server. For testing purposes I > > added the IIS server to the same domain that it would be accessing and > > I no longer got prompted to authenticate when accessing the website. > > This isn't a NTFS permission problem as far as I can tell since the > > web application resides in a directory giving Everybody permission to > > access it. I read that Log on Locally might be necessary, but after > > giving the domain account (the same that IIS is running as) permission > > to logon locally I still get prompted for authentication. > > > > The desired result is for the standalone IIS server to have access > > to Active Directory without needing any type of authentication by the > > user other than at the application level. > > > > Any ideas on what could be causing anonymous users being prompted > > for Windows authentication? > > > >
In this case, ensure that the anonymous account has at least READ NTFS
permission on the resource. check the log file for more clue. -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Miguel" <ihaveblint@gmail.com> wrote in message news:393251a5.0410010515.3858e4cb@posting.google.com... > Hi Miha, > > The IIS server is not part of a domain. For testing purposes I made > an exception and allowed all traffic from this IIS server to all DCs > to see if this was a firewall issue however that still didn't work. As > mentioned, I only get prompted for Windows Authentication when the IIS > server is not a member of the domain, however if part of the domain > one no longer gets prompted. This alone should rule out any > firewall/network level issues. > The problem isn't that I'm failing to authenticate when prompted, > but rather why I'm being asked to authenticate at all as an anonymous > user. I realize some would wonder why I don't keep my IIS server in > the Domain - I prefer to keep my DMZ servers standalone. > > Thanks for your assistance, > > Miguel > > > "Miha Pihler" <mihap-news@atlantis.si> wrote in message news:<#8Bj0jwpEHA.1300@TK2MSFTNGP12.phx.gbl>... > > Hi Miguel, > > > > Can you explain a bit more? Is this server member of domain or not? If it is > > a member of domain, did you open necessary TCP and UDP ports between your > > IIS server in DMZ and your active directory? Did you change DNS > > configuration (under TCP/IP properties) in IIS server so that it point to > > your active directory DNS? > > > > In user authentication prompt did you try entering > > > > domain_name\username > > > > where domain_name is NetBIOS name of your domain and > > username is account created in your domain. > > > > Mike > > > > "Miguel" <ihaveblint@gmail.com> wrote in message > > news:393251a5.0409300707.7a3af05f@posting.google.com... > > > Hello all, > > > > > > I'm having some trouble with getting my IIS server working > > > correctly with anonymous users. Current we have an IIS server sitting > > > in the DMZ that is not part of the internal Windows domain which needs > > > to access Active Directory. To gain access to Active Diretory I've > > > changed the Anonymous User Account under IIS to a domain account. > > > However this causes one to be prompted to authenticate as soon as you > > > try to access the website on the IIS server. For testing purposes I > > > added the IIS server to the same domain that it would be accessing and > > > I no longer got prompted to authenticate when accessing the website. > > > This isn't a NTFS permission problem as far as I can tell since the > > > web application resides in a directory giving Everybody permission to > > > access it. I read that Log on Locally might be necessary, but after > > > giving the domain account (the same that IIS is running as) permission > > > to logon locally I still get prompted for authentication. > > > > > > The desired result is for the standalone IIS server to have access > > > to Active Directory without needing any type of authentication by the > > > user other than at the application level. > > > > > > Any ideas on what could be causing anonymous users being prompted > > > for Windows authentication? > > > > > > > > > Thanks!
I believe that what is confusing us is that you say you have
the machine standalone, not in the domain, and then you define IIS to use a domain account. This is a contradiction. No domain accounts are available if not in a domain. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4 [quoted text, click to view] "Miguel" <ihaveblint@gmail.com> wrote in message news:393251a5.0409300707.7a3af05f@posting.google.com... > Hello all, > > I'm having some trouble with getting my IIS server working > correctly with anonymous users. Current we have an IIS server sitting > in the DMZ that is not part of the internal Windows domain which needs > to access Active Directory. To gain access to Active Diretory I've > changed the Anonymous User Account under IIS to a domain account. > However this causes one to be prompted to authenticate as soon as you > try to access the website on the IIS server. For testing purposes I > added the IIS server to the same domain that it would be accessing and > I no longer got prompted to authenticate when accessing the website. > This isn't a NTFS permission problem as far as I can tell since the > web application resides in a directory giving Everybody permission to > access it. I read that Log on Locally might be necessary, but after > giving the domain account (the same that IIS is running as) permission > to logon locally I still get prompted for authentication. > > The desired result is for the standalone IIS server to have access > to Active Directory without needing any type of authentication by the > user other than at the application level. > > Any ideas on what could be causing anonymous users being prompted > for Windows authentication? > > > Thanks!
Hi Roger,
yes that might be confusing. Even though I can't browse the domain accounts I manually entered the domain account information into the Anonymous User Account input box. A domain does exist, its just the IIS server is not part of this domain. I know that it is using the domain account because after authenticating through the Windows Authentication window that pops up the rest of the application works correctly. My problem is why does a Windows Authentication window come up in the first place? I'm probably not explaining myself very clearly. Here is a post that my coworker sent to someone who appeared to have dealt with a similar problem. ======================== When I access the web site (remotely) from IE, I receive the "Enter Network Password" dialog box prior to accessing my login.aspx page. The reason for this is because the "Anonymous User Account" IUSR_<servername> is no longer there. Currently a user id (on an active directory machine) is added, who has active directory administrative rights. Since the AD user has no rights on the standalone machine, How am I able to access this standalone web server without authenticating to it first? I would really appreciate your help Thanks in advance Rob ========================= Thanks, Miguel [quoted text, click to view] "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:<Od6BKzNqEHA.3712@TK2MSFTNGP15.phx.gbl>...
> I believe that what is confusing us is that you say you have > the machine standalone, not in the domain, and then you > define IIS to use a domain account. This is a contradiction. > No domain accounts are available if not in a domain. > > -- > Roger Abell > Microsoft MVP (Windows Server System: Security) > MCDBA, MCSE W2k3+W2k+Nt4 > "Miguel" <ihaveblint@gmail.com> wrote in message > news:393251a5.0409300707.7a3af05f@posting.google.com... > > Hello all, > > > > I'm having some trouble with getting my IIS server working > > correctly with anonymous users. Current we have an IIS server sitting > > in the DMZ that is not part of the internal Windows domain which needs > > to access Active Directory. To gain access to Active Diretory I've > > changed the Anonymous User Account under IIS to a domain account. > > However this causes one to be prompted to authenticate as soon as you > > try to access the website on the IIS server. For testing purposes I > > added the IIS server to the same domain that it would be accessing and > > I no longer got prompted to authenticate when accessing the website. > > This isn't a NTFS permission problem as far as I can tell since the > > web application resides in a directory giving Everybody permission to > > access it. I read that Log on Locally might be necessary, but after > > giving the domain account (the same that IIS is running as) permission > > to logon locally I still get prompted for authentication. > > > > The desired result is for the standalone IIS server to have access > > to Active Directory without needing any type of authentication by the > > user other than at the application level. > > > > Any ideas on what could be causing anonymous users being prompted > > for Windows authentication? > > > >
Now, I know what you talkin about...
If the standalone server doesn't belong to a Domain, how do you expect it know where to authenticate the user ? -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Miguel" <ihaveblint@gmail.com> wrote in message news:393251a5.0410041001.1af75e11@posting.google.com... > Hi Roger, > > yes that might be confusing. Even though I can't browse the domain > accounts I manually entered the domain account information into the > Anonymous User Account input box. A domain does exist, its just the > IIS server is not part of this domain. I know that it is using the > domain account because after authenticating through the Windows > Authentication window that pops up the rest of the application works > correctly. My problem is why does a Windows Authentication window come > up in the first place? > > I'm probably not explaining myself very clearly. Here is a post > that my coworker sent to someone who appeared to have dealt with a > similar problem. > > ======================== > > When I access the web site (remotely) from IE, I receive the "Enter > Network Password" dialog box prior to accessing my login.aspx page. > > The reason for this is because the "Anonymous User Account" > IUSR_<servername> is no longer there. Currently a user id (on an > active directory machine) is added, who has active directory > administrative rights. > > Since the AD user has no rights on the standalone machine, > How am I able to access this standalone web server without > authenticating to it first? > > I would really appreciate your help > Thanks in advance > Rob > > ========================= > > > > > Thanks, > > Miguel > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:<Od6BKzNqEHA.3712@TK2MSFTNGP15.phx.gbl>... > > I believe that what is confusing us is that you say you have > > the machine standalone, not in the domain, and then you > > define IIS to use a domain account. This is a contradiction. > > No domain accounts are available if not in a domain. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Server System: Security) > > MCDBA, MCSE W2k3+W2k+Nt4 > > "Miguel" <ihaveblint@gmail.com> wrote in message > > news:393251a5.0409300707.7a3af05f@posting.google.com... > > > Hello all, > > > > > > I'm having some trouble with getting my IIS server working > > > correctly with anonymous users. Current we have an IIS server sitting > > > in the DMZ that is not part of the internal Windows domain which needs > > > to access Active Directory. To gain access to Active Diretory I've > > > changed the Anonymous User Account under IIS to a domain account. > > > However this causes one to be prompted to authenticate as soon as you > > > try to access the website on the IIS server. For testing purposes I > > > added the IIS server to the same domain that it would be accessing and > > > I no longer got prompted to authenticate when accessing the website. > > > This isn't a NTFS permission problem as far as I can tell since the > > > web application resides in a directory giving Everybody permission to > > > access it. I read that Log on Locally might be necessary, but after > > > giving the domain account (the same that IIS is running as) permission > > > to logon locally I still get prompted for authentication. > > > > > > The desired result is for the standalone IIS server to have access > > > to Active Directory without needing any type of authentication by the > > > user other than at the application level. > > > > > > Any ideas on what could be causing anonymous users being prompted > > > for Windows authentication? > > > > > > > > > Thanks!
Hi Bernard,
What if I explicitly say user@domain.com and provide the correct password for that Domain account? Can't it go off do a lookup on domain.com find the IP addresses of the Active Directory servers (using an internal dns server) and then authenticate against those servers? On a regular basis I will go and access a share on our fileserver from a standalone PC that I'm building, and get prompted for Domain credentials. Upon entering the credentials everything continues along just fine even though the machine I'm accessing the share from isn't part of the Domain. Thanks, Miguel [quoted text, click to view] "Bernard" <qbernard@hotmail.com.discuss> wrote in message news:<#OxeUIoqEHA.3428@TK2MSFTNGP11.phx.gbl>...
> Now, I know what you talkin about... > If the standalone server doesn't belong to a Domain, how do you expect it > know where to authenticate the user ? > > > -- > Regards, > Bernard Cheah > http://www.tryiis.com/ > http://support.microsoft.com/ > http://www.msmvps.com/bernard/ > > > > "Miguel" <ihaveblint@gmail.com> wrote in message > news:393251a5.0410041001.1af75e11@posting.google.com... > > Hi Roger, > > > > yes that might be confusing. Even though I can't browse the domain > > accounts I manually entered the domain account information into the > > Anonymous User Account input box. A domain does exist, its just the > > IIS server is not part of this domain. I know that it is using the > > domain account because after authenticating through the Windows > > Authentication window that pops up the rest of the application works > > correctly. My problem is why does a Windows Authentication window come > > up in the first place? > > > > I'm probably not explaining myself very clearly. Here is a post > > that my coworker sent to someone who appeared to have dealt with a > > similar problem. > > > > ======================== > > > > When I access the web site (remotely) from IE, I receive the "Enter > > Network Password" dialog box prior to accessing my login.aspx page. > > > > The reason for this is because the "Anonymous User Account" > > IUSR_<servername> is no longer there. Currently a user id (on an > > active directory machine) is added, who has active directory > > administrative rights. > > > > Since the AD user has no rights on the standalone machine, > > How am I able to access this standalone web server without > > authenticating to it first? > > > > I would really appreciate your help > > Thanks in advance > > Rob > > > > ========================= > > > > > > > > > > Thanks, > > > > Miguel > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:<Od6BKzNqEHA.3712@TK2MSFTNGP15.phx.gbl>... > > > I believe that what is confusing us is that you say you have > > > the machine standalone, not in the domain, and then you > > > define IIS to use a domain account. This is a contradiction. > > > No domain accounts are available if not in a domain. > > > > > > -- > > > Roger Abell > > > Microsoft MVP (Windows Server System: Security) > > > MCDBA, MCSE W2k3+W2k+Nt4 > > > "Miguel" <ihaveblint@gmail.com> wrote in message > > > news:393251a5.0409300707.7a3af05f@posting.google.com... > > > > Hello all, > > > > > > > > I'm having some trouble with getting my IIS server working > > > > correctly with anonymous users. Current we have an IIS server sitting > > > > in the DMZ that is not part of the internal Windows domain which needs > > > > to access Active Directory. To gain access to Active Diretory I've > > > > changed the Anonymous User Account under IIS to a domain account. > > > > However this causes one to be prompted to authenticate as soon as you > > > > try to access the website on the IIS server. For testing purposes I > > > > added the IIS server to the same domain that it would be accessing and > > > > I no longer got prompted to authenticate when accessing the website. > > > > This isn't a NTFS permission problem as far as I can tell since the > > > > web application resides in a directory giving Everybody permission to > > > > access it. I read that Log on Locally might be necessary, but after > > > > giving the domain account (the same that IIS is running as) permission > > > > to logon locally I still get prompted for authentication. > > > > > > > > The desired result is for the standalone IIS server to have access > > > > to Active Directory without needing any type of authentication by the > > > > user other than at the application level. > > > > > > > > Any ideas on what could be causing anonymous users being prompted > > > > for Windows authentication? > > > > > > > >
I don't think this is possible :(
when you try to access the filesvr, you are authentication yourself to the DC of the domain. In the IIS case, a user access the site anonymously and you 'expect' the 'domain account' you specified will know which DC to talk to and etc, I don't think this work the same way as the way you access your filesvr. IIS will not know where to contact the DC, and you can't specify any domain accounts in your file ACLs -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Miguel" <ihaveblint@gmail.com> wrote in message news:393251a5.0410051132.579c2500@posting.google.com... > Hi Bernard, > > What if I explicitly say user@domain.com and provide the correct > password for that Domain account? Can't it go off do a lookup on > domain.com find the IP addresses of the Active Directory servers > (using an internal dns server) and then authenticate against those > servers? On a regular basis I will go and access a share on our > fileserver from a standalone PC that I'm building, and get prompted > for Domain credentials. Upon entering the credentials everything > continues along just fine even though the machine I'm accessing the > share from isn't part of the Domain. > > Thanks, > > Miguel > > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message news:<#OxeUIoqEHA.3428@TK2MSFTNGP11.phx.gbl>... > > Now, I know what you talkin about... > > If the standalone server doesn't belong to a Domain, how do you expect it > > know where to authenticate the user ? > > > > > > -- > > Regards, > > Bernard Cheah > > http://www.tryiis.com/ > > http://support.microsoft.com/ > > http://www.msmvps.com/bernard/ > > > > > > > > "Miguel" <ihaveblint@gmail.com> wrote in message > > news:393251a5.0410041001.1af75e11@posting.google.com... > > > Hi Roger, > > > > > > yes that might be confusing. Even though I can't browse the domain > > > accounts I manually entered the domain account information into the > > > Anonymous User Account input box. A domain does exist, its just the > > > IIS server is not part of this domain. I know that it is using the > > > domain account because after authenticating through the Windows > > > Authentication window that pops up the rest of the application works > > > correctly. My problem is why does a Windows Authentication window come > > > up in the first place? > > > > > > I'm probably not explaining myself very clearly. Here is a post > > > that my coworker sent to someone who appeared to have dealt with a > > > similar problem. > > > > > > ======================== > > > > > > When I access the web site (remotely) from IE, I receive the "Enter > > > Network Password" dialog box prior to accessing my login.aspx page. > > > > > > The reason for this is because the "Anonymous User Account" > > > IUSR_<servername> is no longer there. Currently a user id (on an > > > active directory machine) is added, who has active directory > > > administrative rights. > > > > > > Since the AD user has no rights on the standalone machine, > > > How am I able to access this standalone web server without > > > authenticating to it first? > > > > > > I would really appreciate your help > > > Thanks in advance > > > Rob > > > > > > ========================= > > > > > > > > > > > > > > > Thanks, > > > > > > Miguel > > > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > > news:<Od6BKzNqEHA.3712@TK2MSFTNGP15.phx.gbl>... > > > > I believe that what is confusing us is that you say you have > > > > the machine standalone, not in the domain, and then you > > > > define IIS to use a domain account. This is a contradiction. > > > > No domain accounts are available if not in a domain. > > > > > > > > -- > > > > Roger Abell > > > > Microsoft MVP (Windows Server System: Security) > > > > MCDBA, MCSE W2k3+W2k+Nt4 > > > > "Miguel" <ihaveblint@gmail.com> wrote in message > > > > news:393251a5.0409300707.7a3af05f@posting.google.com... > > > > > Hello all, > > > > > > > > > > I'm having some trouble with getting my IIS server working > > > > > correctly with anonymous users. Current we have an IIS server sitting > > > > > in the DMZ that is not part of the internal Windows domain which needs > > > > > to access Active Directory. To gain access to Active Diretory I've > > > > > changed the Anonymous User Account under IIS to a domain account. > > > > > However this causes one to be prompted to authenticate as soon as you > > > > > try to access the website on the IIS server. For testing purposes I > > > > > added the IIS server to the same domain that it would be accessing and > > > > > I no longer got prompted to authenticate when accessing the website. > > > > > This isn't a NTFS permission problem as far as I can tell since the > > > > > web application resides in a directory giving Everybody permission to > > > > > access it. I read that Log on Locally might be necessary, but after > > > > > giving the domain account (the same that IIS is running as) permission > > > > > to logon locally I still get prompted for authentication. > > > > > > > > > > The desired result is for the standalone IIS server to have access > > > > > to Active Directory without needing any type of authentication by the > > > > > user other than at the application level. > > > > > > > > > > Any ideas on what could be causing anonymous users being prompted > > > > > for Windows authentication? > > > > > > > > > > > > > > > Thanks!
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |