[quoted text, click to view]

Ken - thanks for stepping in and giving a better explanation! : )

Integrated Windows Authentication (IWA) refers to either NTLM authentication
or Kerberos authentication. When that field is checked, then IIS sends back:

WWW-Authenticate: Negotiate
WWW-Authentication: NTLM

http headers to the client. The client chooses which of the two it would
like to use (Negotiate = Kerberos). If the IIS box is not in a domain -or-
you have manually edited the metabase to change IIS behaviour, then
Negotiate will not be sent to the client.

AD authentication just means authenticating users against Active Directory.
That has nothing to do, per se, with Integrated Windows Authentication. IWA
involves detemining the authentication mechanism for sending the credentials
from the client machine to IIS *not* where the user's credentials will be
authenticated with. For example you can use Basic authentication and still
check the user's name/password against Active Directory. So IWA or Basic are
just different ways to having the client send the username/password to the
server.

For more information see:
http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf

Cheers
Ken


[quoted text, click to view]

Ken - Thank you very much for your reply.

Could I make following conclusion?

1. If web server (windows 2000) is in the same domain as Active
Directory, then you use IWA to authenticate username/password and
doamin is actually using AD, right?
2. If web server is in the different domain from AD, then you use IWA
means you authenticate the username/paswword and domain through
whereever domain the web server locate and you could not really use AD,
right?

Again, thanks a lot for all your help.

Again, Ken - thanks for reply.

[quoted text, click to view]

No - IWA is just a way of getting the credentials from clien=ADt (eg
browser)
to server (IIS)

If user enters Domain\Username then you will attempt to auth=ADenticate
against
AD
If user enters Machine\Username then you will attempt to aut=ADhenticate

against the local accounts database on IIS

Di: What happen if you only let user enter username instead of Domain
or Machine before the username? I assume when you check IWA, then it
automatically attempt to authenticate against AD. If it failed, then
authenticate against the database on IIS, right?

[quoted text, click to view]


I'm not sure I understand what you are saying here. Are you =ADtalking
about an
NT domain? All other domains (Windows 2000, Windows 2003) in=ADvolve
Active
Directory. You can't have a Windows 2000/2003 domain without=AD AD. If
you have
an NT domain -and- you have a trust relationship between the=AD NT
domain and
AD domain, then you can use ADDomain\User or NTDomain\User

Di, Does Windows 2000 web server had to involve AD? I am sorry that
this must happen and it could not exist in some domain outside of AD
..=2E. ...

BTY, do you know what schema AD have and what the detail size or data
type for those AD attribute, such as First Name, Last Name, phone
number, etc? How hard to run complex query based on AD?
Thanks you very much for your help!

[quoted text, click to view]

No - IWA is just a way of getting the credentials from client (eg browser)
to server (IIS)

If user enters Domain\Username then you will attempt to authenticate against
AD
If user enters Machine\Username then you will attempt to authenticate
against the local accounts database on IIS

[quoted text, click to view]

I'm not sure I understand what you are saying here. Are you talking about an
NT domain? All other domains (Windows 2000, Windows 2003) involve Active
Directory. You can't have a Windows 2000/2003 domain without AD. If you have
an NT domain -and- you have a trust relationship between the NT domain and
AD domain, then you can use ADDomain\User or NTDomain\User

Cheers
Ken