How to enable IWA over multiple servers

[musosdev]

Hi guys.

We've got an intranet application (.net 2.0) which uses Integrated Windows
Authentication to obtain the current logged on user and allow/prevent access
to certain features, etc.

This worked fine with IIS running on the Domain Controller.

However, as our needs have grown, we have created a new Intranet Server
(dedicated to IIS/SQL). This works, but IWA isn't working.

The new server isn't an Domain Controller, and when a user connects to our
intranet, it's automatically trying to authenticate on the Webserver. How do
we get it to authenticate on the Domain Controller instead?

(e.g. I log in as "musoswire", it actually tries to log me in as
"192.168.0.4\musoswire". If I change this when it pops up to
"MYDOMAIN\musoswire" - it works, but we want to keep the automatic
authentication!!

Thanks for any help/advice,


Dan

 

[Steven Cheng[MSFT]]

Hello Dan,

From your description, you have an ASP.NET application that use integrated
windows authentication to authenticate the client users(domain accounts),
you found that the application can gain client domain identity correctly
when the ASP.NET app is hosted on a DC ,but not correctly when hosted on a
normal webserver in the domain(intranet), correct?

Based on my experience, the problem behavior you met is likely due to the
logon user account you used to visit the web application and from which
machine you're performing the test. Are you testing the application(visit
the certain web page in the ASP.NET application) on the local machine(of
the webserver)? If so, are you logon through a local account on the
webserver rather than a domain user account?

When you try visiting a web application in IIS protected by integrated
windows authentication, the IE browser will send the current client logon
user identity to server(for intranet scenario) so that the IIS server can
get it. If you're visting the web app on local machine(the webserver), the
current logon session is directly used. If you logon through a local
account such as "web server machine\localuser", then, the IIS server will
certainly get the "web server machine\localuser" (rather than domain
account). On DC box, it is a bit particular because all the accounts on DC
are domain accounts(there is no local account on DC box), so even if you
logon DC through a "localuser" account, it is treated as
"domainname\localuser".

Therefore, for your scenario, I suggest you try testing on remote client
(logon through a domain account) and visit the web application and see the
behavior. I think the integrated windows authentication should work as
expect to get the domain user identity.

If you have anything unclear on this or any other questions, please feel
free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[musosdev]

Steven,

Thanks for the mass of info!

I've checked with the system administrator on our domain, and we are using
domain logon, so I'm unsure as to why the credentials aren't been passed.

Here's the flow a user goes through when trying to access the non-DC web
server..

1) Boot up computer and logon as ActiveDirectory username (im joe bloggs, my
username is jbloggs), so.. UserName: jbloggs, Password: <whatever>, Domain:
MYDOMAIN.

(this validates with our main active directory domain controller, DC1,
192.168.0.1)

2) I double click the "Intranet" icon on my desktop. This loads IE and goes
to 192.168.0.4.

3) It pops up with a Windows Logon dialog, which says...

User name: 192.168.0.4\jbloggs
Password: <whatever>

There's the problem, it's trying to log me in to the domain server as a
member of 192.168.0.4 (the web server), not a member of MYDOMAIN.

If I put my password in, it won't let me in and just pops the Logon box up
again. If I change the infomation to:

User name: MYDOMAIN\jbloggs
Password: <whatever>

Then it logs me straight in and up pops the Intranet.

The thing is... how do we get it to login as the Domain User, rather than a
user of the web server. I believe we could make the web server a DC, which
would replicate Active Directory, and everything would work.

But... how can we do it without making the web server a DC?

I hope that's clear... I'm a developer, not a domain admin!

Thanks,


Dan

 

[Dominick Baier]

Hi,

how are you accessing the web server? using the machine name - or a fully
qualified DNS name, like server.domain.com ?

 

[musosdev]

From IE, via IP address...

http://192.168.0.4:xxxx (xxxx being the port no)

 

[Dominick Baier]

ok - thats the reason -

whenever IE sees a dot in the URL - it does not send the credentials automatically
- try the machine name and see if that works...

 

[musosdev]

I'll try that. Does that mean that adding http://192.168.0.4 to the trusted
sites on the clients would also work!?

 

[Dominick Baier]

just try it - i would have to try it too...

 

[musosdev]

Dominick,

Fair point - problem was the sysadmin had upgraded it to a DC so we couldn't
really test it.

However, we downgraded it and it *looks* like it's working,

Thanks for your help



Dan

 

[Steven Cheng[MSFT]]

Hi Dan,

Actually, you can find this setting in your IE browser as below:

** open IE, choose "Tools--->Internet Options..." menu

** select "Security" tab

** click "Custom Level" button

**in the popup "security settings" dialog, scroll the scrollbar in
"settins" panel to bottom, you will find the "User Authentication/Logon"
choice, it by default only automatically logon for intranet zone.

When you using IP address, it is computed into non-intranet zone that
prevent the automatic logon happen.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no rights.