We have an intranet site that uses Windows Authentication (Running on IIS 7.5). Anyone on our domain (let's call it Domain1) can access the intranet using their Windows credentials. However, we recently set up a trust between our parent company's domain (let's call it ParentDomain) and our domain.
However, no one from the ParentDomain domain can access the intranet using their Windows credentials. I'm not sure what sort of configuration I am supposed to do in IIS to allow ParentDomain users to access the intranet site.
If someone could point me in the right direction to get this set up, that would be great!
Thanks.
Related
I have decided to transfer several of my web applications from one virtual server ot another. The way everything works on my current server is pretty bad - everyone has rights for reading and accessing the content of my "applications" folder on the machine, and so does the IIS. I want to organize stuff on the new server, so only IIS can access this folder.
I have installed IIS and the ASP.NET addons on the new server, and forced my test website to Windows Authentication, as all of my websites are configured on the current server. Then, after doing some reading regarding the permissions, I have given full control to the folder that contains my website to the next users: IIS_IUSRS & TestAppPool (which is the Application Pool I have created for my 'Test' application).
For some reason when I try to access the website from another user within the domain, through the browser, it promts for Login Credentials. I would like to understand why my application wont retrieve the permissions I have granted the IIS users upon accessing the website.
not sure if this would help, but can you try changing the app pool's identity to Network Service?
We're setting up an ASP.NET 4.0 website on Windows Server 2008. The site uses Integrated Windows Authentication for authentication. (It does not use ASP.NET authentication or authorization.)
In IIS, we have only Windows Authentication enabled.
When we browse to the site using localhost as the host header, the site works fine. When we browse to it using the FQDN, the site prompts for username/password but doesn't accept the validly entered credentials.
Some items to note:
IE does have Integrated Windows Authentication enabled
The site with FQDN is entered in the Intranet zone in IE
We've tried adding the site to the Trusted sites to no avail
We did change the Identity on the AppPool from ApplicationPoolIndentity to Network Service with no success
We verified that IUSR has read and execute access to the directory and files
We've set NTAuthenticationProviders to both "NTLM" and "Negotiate,NTLM"
What are we missing?
Thanks.
We were informed finally that the server is not on the same domain as we had been led to believe so it couldn't authenticate against Active Directory. (We had been testing with a local account.)
Goal
I am trying to deploy an MVC3 application that requires Windows Authentication (specifically Kerberos) as an Application within an older asp.net Anonymous Authentication Website.
Symptoms
In IIS 7.5 Express on my box it works perfect, obviously. When I deploy it to IIS 7.5 as its own site I get challenged for domain credentials, though none are accepted. When I deploy it as an application I get the custom error page back from the hosting site. To confirm - Kerbtray shows no ticket in either scenario.
Details
Both the Site and the new child Apps run on the same application pool, and the application pool runs as AppPoolIdentity. That built-in IIS app pool account (IIS AppPool\MyAppPoolName) has full Read/Execute permissions down both the Site's and the App's folder trees. No impersonation is used.
Question(s)
Is there anything special I need to do to get NTLM and Kerberos working on an App inside an anonymous auth Site?
If not, any advice on things/places to look would be great - the ApplicationHost.config and the app's web.config files look fine.
EDIT: For clarification, this is all on a corporate network that uses Kerberos extensively for other purposes. "Site" refers to an IIS Website and is distinguished from an "Application" that must be hosted within an IIS Site.
After working on this a bit more, I found the answer:
Nothing special is needed to host a Windows (Kerberos) authenticated IIS App within an Anonymous authenticated IIS Site on IIS 7.5 so long as:
a. Kernel Mode Authentication is On - No SPNs required.
b. The application uses the same App Pool Identity as the hosting parent. Different App Pools and their identities can be used, but this does require further NTFS permissions and is beyond the scope of this particular issue.
The issue with my error was something much more simple yet elusive... the parent Site had a custom set of error pages defined in <HttpErrors> including pages for 401 and 403.
This was the error page returned when the user requested a page from the nested Application because Kerberos sends a 401 first, to challenge the user for credentials and ask/him her to get and provide a Kerberos ticket... but because the parent Site returned a 200 response (the custom error page) the user never got a Kerberos ticket.
With these off, the user is now appropriately getting a Kerberos ticket and falls back to NTLM as by default.
We have IIS 7 running on the Windows 2008 Server which hosts many intranet websites. We want to use windows authentication for the website and its url will be http://pay
So, I add the C:\InetPub\pay folder and bind it to the IIS7.
Disable the Anonymous Authentication mode.
Enable the Windows Authentication mode.
When I access the website http://pay from the other computer, I got the message that
Unauthorized You do not have permission to view this directory or page
using the credentials that you supplied.
So, I go to the Windows Explorer and Add the Local\IUSR account and give access to the folder. But I still got the same error.
Finally, I added Everyone account and give access to the folder. This time, it works and windows authentication is also working well.
What I am afraid is that, does it open the read access to Everyone to the \MyServer\C$\Inetpub\pay folder? It contains the web.config which contains server and users credential and it would be the big security breach.
How can I achieve to use Windows Authentication without giving access to Everyone account?
Thanks in advance.
I believe what you you're looking for is the IIS_IUSRS group which you should give read access to your website folders when using Windows Authentication. The IUSR account you tried would be used in an Anonymous Authentication scenario.
More info on these groups in IIS7 here:
Understanding Built-In User and Group Accounts in IIS 7
I built an INTRANET ASP.NET website for which authentication is set to "integrated windows authentication" and in authorization section of web.config, I have specified the AD groups (domain\groupname) to restrict the access to only to the members of those AD groups. multiple AD groups are specified in web.config (domain1\group1, domain2\group2 etc). now this works fine for users of one domain1 (where it is hosted), but for users of another domain (domain2), they get a prompt to enter their windows credentials and if they enter it, then it works and they can access the site without any problem. but I would like to avoid this login prompt, because I granted access to groups of both domains. why are they getting this prompt and is it possible to suppress it? do I need to configure something in IIS or web.config for it? Thanks in advance.
I believe users in Domain2 can add your website, hosted in Domain1, to their list of Intranet Sites in Internet Explorer->Internet Options->Security->Local Intranet Zone. This zone should automatically log on with the current user name and password. You could make this an AD policy.
I'm not sure that you can do this - I believe that users from outside the hosted domain will always be prompted for credentials with 'integrated' security.
You could probably use forms authentication to handle multiple domains. I am heading down the Windows Indentity Foundation path myself (which I have no desire to learn) so I'd love for someone to tell me I'm wrong about this!