|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS 6 <domain>\<user> vs <user>@<domain>when migrating an web application to a new hosting company. we have run into
problems with the user authentication against AD. all users are in the ad and some users can logon with <domain>\<user> others on the other hand get access denied. The users that do get an access denied can logon to the system using <user>@<domain>. We are using integrated windows authentication to authenticate the users. this is an extranet application and all the users are loging on through the internet. at the old server and hosting location everybody can log in with <domain>\<user> Does anybody have any ideas. Basic authentication is out of the question! eventhough this works. A couple of things:
In AD verify what the uses sAMAccountName property is. This is what's needed for Domain\User syntax. user@domain depends on what the UPN property is set to. Neither is strictly related to the user's name. I realise that this maybe barking up the wrong tree, but we need to figure out why it's breaking. Next thing - NTLM doesn't work through a lot of forward proxies. If you use SSL - then the proxy shouldn't try to reproxy the data. Does everything start working if you use HTTPS instead of HTTP? Lastly, can you post the offending IIS log file entries. IN particular, we need to see the HTTP status. substatus and Win32 values. Additionally, enable "Logon failure auditing" on the server, and look in the server's security event log for an event that details why the user's logon failed. Cheers Ken Show quoteHide quote "Nicky Laurent" <NickyLaur***@discussions.microsoft.com> wrote in message news:6AC7B9A3-690D-4D8E-AEE4-BBB7E5AF2722@microsoft.com... > when migrating an web application to a new hosting company. we have run > into > problems with the user authentication against AD. all users are in the ad > and > some users can logon with <domain>\<user> others on the other hand get > access > denied. The users that do get an access denied can logon to the system > using > <user>@<domain>. We are using integrated windows authentication to > authenticate the users. this is an extranet application and all the users > are > loging on through the internet. > > at the old server and hosting location everybody can log in with > <domain>\<user> > > Does anybody have any ideas. Basic authentication is out of the question! > eventhough this works. Hi Ken,
Thanks for your reply, I verified that the sAMAccountName was correct nothing wrong there. I did not try anything else as the next day everything was working and i did not touch anything. so either our Server Hosting company changed something or this was a propagation issue. Again thanks for you help Ken KR Nicky Show quoteHide quote "Ken Schaefer" wrote: > A couple of things: > > In AD verify what the uses sAMAccountName property is. This is what's needed > for Domain\User syntax. user@domain depends on what the UPN property is set > to. Neither is strictly related to the user's name. I realise that this > maybe barking up the wrong tree, but we need to figure out why it's > breaking. > > Next thing - NTLM doesn't work through a lot of forward proxies. If you use > SSL - then the proxy shouldn't try to reproxy the data. Does everything > start working if you use HTTPS instead of HTTP? > > Lastly, can you post the offending IIS log file entries. IN particular, we > need to see the HTTP status. substatus and Win32 values. Additionally, > enable "Logon failure auditing" on the server, and look in the server's > security event log for an event that details why the user's logon failed. > > Cheers > Ken > > "Nicky Laurent" <NickyLaur***@discussions.microsoft.com> wrote in message > news:6AC7B9A3-690D-4D8E-AEE4-BBB7E5AF2722@microsoft.com... > > when migrating an web application to a new hosting company. we have run > > into > > problems with the user authentication against AD. all users are in the ad > > and > > some users can logon with <domain>\<user> others on the other hand get > > access > > denied. The users that do get an access denied can logon to the system > > using > > <user>@<domain>. We are using integrated windows authentication to > > authenticate the users. this is an extranet application and all the users > > are > > loging on through the internet. > > > > at the old server and hosting location everybody can log in with > > <domain>\<user> > > > > Does anybody have any ideas. Basic authentication is out of the question! > > eventhough this works. > > 
Other interesting topics
IIS 6 Integrated Security....risks??
IIS requiring authentication Kerberos Kerberos Configured, but occasionally users login using NTLM The 'Source' permission for WebDAV in IIS 7.0 WebSite Machine Registration IIS7 Basic Authentication question SQL injection attempt Want IIS5 ASP page to read data on another server Requiring Logon |
|||||||||||||||||||||||
