S
Stu Carter
Hi,
ENV: Windows 2003 Server SP1, IIS6, .Net 1.1
I'd like to know why the authentication and delegation differs when
accessing a web site using the Fully Qualified Domain Name as opposed to
'localhost'.
We have an ASP.Net application which has only 'Integrated authentication'
enabled on the virtual directory. The ASP.Net application access a remote
resource on behalf of the authenticated user.
The authentication and impersonation modes are:
<authentication mode="Windows" />
<identity impersonate="true" />
I test this with 3 authentication scenarios (IE running on the IIS server in
every one).
1) I connect to the app using http://localhost/MyApp, everything is fine and
the remote resource is accessible.
2) I specify the FQDN - http://mybox.domain.local/MyApp and I am prompted
for credentials. Now, I know that this is because IE thinks I am outside
the intranet zone - fair enough. The thing I don't understand is that
although my credentials are accepted, subsequent access to the remote
resource is denied ('Access denied' error).
3) So I thought - OK, must be something to do with basic authentication
then. So I reconfigured the Virtual directory to have only 'Basic
Authentication' expecting the same result. I was surprised at the outcome -
using either localhost or the FQDN worked. The web app could access the
remote resource on my behalf.
My question is - what is the difference between scenario 2 and 3?
I am thinking that in scenario 2, IE is failing back to 'Basic
Authentication'? If that is the case, then scenario 3 should not work
either.
So, is scenario 2 actually 'Basic authentication', but not allowing
delegation because it thinks I am not on the Intranet?!!
I'd appreciate
<authentication mode="Windows" />
<identity impersonate="true" />
Thanks,
Stuart
NB. To reproduce - the simple scenario is two servers:
Web Server - ASP.Net app reading a file off of a share on the file
server.
File Server
ENV: Windows 2003 Server SP1, IIS6, .Net 1.1
I'd like to know why the authentication and delegation differs when
accessing a web site using the Fully Qualified Domain Name as opposed to
'localhost'.
We have an ASP.Net application which has only 'Integrated authentication'
enabled on the virtual directory. The ASP.Net application access a remote
resource on behalf of the authenticated user.
The authentication and impersonation modes are:
<authentication mode="Windows" />
<identity impersonate="true" />
I test this with 3 authentication scenarios (IE running on the IIS server in
every one).
1) I connect to the app using http://localhost/MyApp, everything is fine and
the remote resource is accessible.
2) I specify the FQDN - http://mybox.domain.local/MyApp and I am prompted
for credentials. Now, I know that this is because IE thinks I am outside
the intranet zone - fair enough. The thing I don't understand is that
although my credentials are accepted, subsequent access to the remote
resource is denied ('Access denied' error).
3) So I thought - OK, must be something to do with basic authentication
then. So I reconfigured the Virtual directory to have only 'Basic
Authentication' expecting the same result. I was surprised at the outcome -
using either localhost or the FQDN worked. The web app could access the
remote resource on my behalf.
My question is - what is the difference between scenario 2 and 3?
I am thinking that in scenario 2, IE is failing back to 'Basic
Authentication'? If that is the case, then scenario 3 should not work
either.
So, is scenario 2 actually 'Basic authentication', but not allowing
delegation because it thinks I am not on the Intranet?!!
I'd appreciate
<authentication mode="Windows" />
<identity impersonate="true" />
Thanks,
Stuart
NB. To reproduce - the simple scenario is two servers:
Web Server - ASP.Net app reading a file off of a share on the file
server.
File Server