|
|
You're in the
iis security
group:Login not require a domain in IIS hosted site?
iis security:
I didnt know where this should go so posted it to iis.security also.
I have a site which is windows authentication based on a domain that has active directory as its backend on IIS 6 / Win2k3 servers. My site is published to the internet through ISA Server 2004 SP1. I want the user to use their internal company login to get to the secured site, but right now it requires them to enter it in domain\username format, how can i elimiate the need to have the domain name before the username and assume the internal domain as the one they will authenticate against? (there is only one domain) thanks!
Use UPN, and have the users type in:
username@YourCompany.com ?? Users don't have to remember domains, but they can remember the company they work for... //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] Smokey Grindel wrote:
> I didnt know where this should go so posted it to iis.security also. > > I have a site which is windows authentication based on a domain that has > active directory as its backend on IIS 6 / Win2k3 servers. My site is > published to the internet through ISA Server 2004 SP1. I want the user to > use their internal company login to get to the secured site, but right now > it requires them to enter it in domain\username format, how can i elimiate > the need to have the domain name before the username and assume the internal > domain as the one they will authenticate against? (there is only one domain) > thanks!
I don't want to have to use anything but their username...
[quoted text, click to view] "David Wang" <w3.4you@gmail.com> wrote in message news:1165752322.580819.122640@79g2000cws.googlegroups.com... > Use UPN, and have the users type in: > username@YourCompany.com ?? > > Users don't have to remember domains, but they can remember the company > they work for... > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > Smokey Grindel wrote: >> I didnt know where this should go so posted it to iis.security also. >> >> I have a site which is windows authentication based on a domain that has >> active directory as its backend on IIS 6 / Win2k3 servers. My site is >> published to the internet through ISA Server 2004 SP1. I want the user to >> use their internal company login to get to the secured site, but right >> now >> it requires them to enter it in domain\username format, how can i >> elimiate >> the need to have the domain name before the username and assume the >> internal >> domain as the one they will authenticate against? (there is only one >> domain) >> thanks! >
My question goes along this route.
If the "intranet" site is within the same domain that the username and computer is on, why does it even prompt them for authentication? Is there no way to just automatically use the current computer login credentials? I have this issue with my SharePoint services site and other miscellaneous sites. Is it possible to use anonymous logon but NTFS permissions to get around the security prompt? [quoted text, click to view] "Smokey Grindel" wrote:
> I don't want to have to use anything but their username... > > "David Wang" <w3.4you@gmail.com> wrote in message > news:1165752322.580819.122640@79g2000cws.googlegroups.com... > > Use UPN, and have the users type in: > > username@YourCompany.com ?? > > > > Users don't have to remember domains, but they can remember the company > > they work for... > > > > > > //David > > http://w3-4u.blogspot.com > > http://blogs.msdn.com/David.Wang > > // > > > > > > Smokey Grindel wrote: > >> I didnt know where this should go so posted it to iis.security also. > >> > >> I have a site which is windows authentication based on a domain that has > >> active directory as its backend on IIS 6 / Win2k3 servers. My site is > >> published to the internet through ISA Server 2004 SP1. I want the user to > >> use their internal company login to get to the secured site, but right > >> now > >> it requires them to enter it in domain\username format, how can i > >> elimiate > >> the need to have the domain name before the username and assume the > >> internal > >> domain as the one they will authenticate against? (there is only one > >> domain) > >> thanks! > > > >
If you are just interested in getting rid of the login prompt then you
are probably overlooking the system's misconfigurations and simply trying to get something to work insecurely. If that is the objective, then use anonymous authentication (i.e. no security). The relevent security-related questions are: 1. Why should the client automatically broadcast current computer login credentials to any server. Suppose that server is rogue -- the client just compromised your user credentials by giving it to the server 2. Why should the server automatically trust credentials given by the client - who should the server validate against? If you are getting a login prompt, then it simply means you have not configured the client/server correctly enough to feel that the transaction is trusted. Remember, just because you think the action is trusted does not mean the computer agrees. Humans are remarkably bad at enforcing security protocol and good at making leaps of faith; computers are remarkably bad at determining trust but good at enforcing security protocol. [quoted text, click to view] > If the "intranet" site is within the same domain that the > username and computer is on, why does it even prompt > them for authentication? Is there no way to just > automatically use the current computer login credentials? Not the right way to reason about security or auto-login. When you configure the server to require authentication, it will prompt for authentication ALL the time. The question is whether the client automatically responds with user credentials that meet the server's demands. The fact that the intranet site is in the same domain as the username and computer is irrelevant from a security perspective. All the server knows is that a client is asking for a secured document, and the server knows a domain controller to validate user credentials. So, the server says to the client "halt, prove to me who you are and I will authorize and give you the document". At which point the client has to provide some credentials (which may be from the same domain as the server -- irrelevant), and the server takes those credentials and asks the domain controller if it is valid. If valid, the server returns the document. If invalid, the server continues saying "halt, prove to me who you are and I will give you the document". No where in the entire security protocol does "domain" matter. The concept of "domain" is only a human organizational concept useful for authorization (i.e. who can do what). It has no relevance for authentication (i.e. who you are). [quoted text, click to view] > I have this issue with my SharePoint services site and other > miscellaneous sites. Of course, depending on the authentication protocol, the transmission of the user credentials and protocol sequenc differs, and some protocols are not safe to automatically send user credentials (such as Basic authentication). The systems are secure the way they are. If you want to optimize away the user login prompts, then those are secondary tasks. [quoted text, click to view] > Is it possible to use anonymous logon but NTFS permissions to get around the > security prompt? This request does not make sense. The security prompt indicates a real security misconfiguration on the server. How does one fabricate an arbitrary NT user token out of an anonymous logon to pass NTFS permissions? If this works, then what stops me from impersonating as you or the administrator on the server. If you can describe your customized situation as well as network configuration further, then maybe someone can help. I can only say that when I set up Sharepoint sites, by default it works without requiring login prompts from my computers using my local login of a domain account. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] Shawn Melton wrote:
> My question goes along this route. > > If the "intranet" site is within the same domain that the username and > computer is on, why does it even prompt them for authentication? Is there no > way to just automatically use the current computer login credentials? > > I have this issue with my SharePoint services site and other miscellaneous > sites. > > Is it possible to use anonymous logon but NTFS permissions to get around the > security prompt? > > "Smokey Grindel" wrote: > > > I don't want to have to use anything but their username... > > > > "David Wang" <w3.4you@gmail.com> wrote in message > > news:1165752322.580819.122640@79g2000cws.googlegroups.com... > > > Use UPN, and have the users type in: > > > username@YourCompany.com ?? > > > > > > Users don't have to remember domains, but they can remember the company > > > they work for... > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > Smokey Grindel wrote: > > >> I didnt know where this should go so posted it to iis.security also. > > >> > > >> I have a site which is windows authentication based on a domain that has > > >> active directory as its backend on IIS 6 / Win2k3 servers. My site is > > >> published to the internet through ISA Server 2004 SP1. I want the user to > > >> use their internal company login to get to the secured site, but right > > >> now > > >> it requires them to enter it in domain\username format, how can i > > >> elimiate > > >> the need to have the domain name before the username and assume the > > >> internal > > >> domain as the one they will authenticate against? (there is only one > > >> domain) > > >> thanks! > > > > > > > > >
I have my SharePoint site configured as disabling Anonymous access and then
Integrated Windows authentication. If I allow anonymous access and take off Integrated authentication, then the user access I specify in each SharePoint site would work like NTFS permissions? One catch, I do have field personnel that can connect to my subnet where my SharePoint is at, but their computer is not on the domain. So they login to their computer as a workgroup account. How would this affect them? [quoted text, click to view] > If you can describe your customized situation as well as network
> configuration further, then maybe someone can help. I can only say that > when I set up Sharepoint sites, by default it works without requiring > login prompts from my computers using my local login of a domain > account.
I don't understand what you are asking.
If you allow only anonymous authentication, how would it work like NTFS permissions? Anonymous authentication means only the configured anonymous user is used to access resources on the server no matter the remote user. Field personnel's work-group account is the same as unknown user so they'd get prompted with Integrated Authentication and as configured anonymous user if Anonymous authentication. But your field personnel computers can be in the domain, take cached copies of the domain with them (automatically by Windows), and have auto-login with Integrated Authentication work just fine even when the field personnel is disconnected from the domain. So, I'm confused by your auto-login/prompt issues. They shouldn't exist given propr configuration. //David [quoted text, click to view] Shawn Melton wrote:
> I have my SharePoint site configured as disabling Anonymous access and then > Integrated Windows authentication. > > If I allow anonymous access and take off Integrated authentication, then the > user access I specify in each SharePoint site would work like NTFS > permissions? > > One catch, I do have field personnel that can connect to my subnet where my > SharePoint is at, but their computer is not on the domain. So they login to > their computer as a workgroup account. How would this affect them? > > > If you can describe your customized situation as well as network > > configuration further, then maybe someone can help. I can only say that > > when I set up Sharepoint sites, by default it works without requiring > > login prompts from my computers using my local login of a domain > > account.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |