I have a parent/child domain configuration on corporate LAN. I am also
running an Intranet webapp the employees from the parent domain log on to
using their Active Directory credentials for authentication.

I recently added a child domain of the parent domain. The child domain is
located offsite. I want users in the child domain to be able to logon to our
company's Intranet site using their Active Directory credentials from the
child domain's DC.

IIS right now is configured to assume all users are logoning on from the
parent domain so parent domain users do not have to logon to the Intranet
site using:

mydomain/username

as their username. Is it possible to configure IIS to allow child and parent
domain users to logon w/o using the method mention above? Can I tell IIS to
assume either domain?

Hi,

this really depends on what authentication mechanism IIS is using. I'm
assuming you are using Basic or Digest Authentication, and specifying the
default domain/realm. There is an option to allow IIS 6.0 (and earlier) to
specify all trusted domains, but there is an issue using that, so was
removed from IIS.

If you are using Windows Integrated Authentication, then there is nothing
you can do - users will need to use domain\username

Cheers
Ken

Show quoteHide quote

On Nov 25, 7:59 pm, Andrew <And***@discussions.microsoft.com> wrote:
Show quoteHide quoteAs Ken said, it sounds like you are using Basic or Digest AuthN. Why
not just use integrated auth? Everything will work fine if you do :)

Dave

On 11/25/08 10:59 PM, in article
A1F0E3A2-50AF-49FE-8DEC-B5619FF73***@microsoft.com, "Andrew"
<And***@discussions.microsoft.com> wrote:

Show quoteHide quoteIf you configure IIS to use "Integrated Windows authentication", and the
users are logged into their workstations using their child-domain\username
account, then IIS should be able to transparently retrieve that username
without ever prompting the user to enter credentials, and automatically
authenticate the user. You may have issues if your web application is
accessing network resources external to your IIS server, but if everything
is local to your IIS you should be ok (external MS SQL server databases are
usually fine if you connect to them using a "standard" SQL login).

On Nov 25, 10:59 pm, Andrew <And***@discussions.microsoft.com> wrote:
Show quoteHide quoteWhy don't you just use Integrated Authentication and stop worry about
this issue?

Is your requirement that all users must authenticate to access this
web application, but you want people in different domains to
authenticate with just their username and no domain?

If so, then your requirement is the problem because it is conflicting.
There is nothing wrong with IIS, AD, etc.

The reason your requirement is conflicting is easy. Suppose different
people named "David" are in both domains -- which domain takes
precedence on the application? Furthemore, assume two other people
named "Michael" in both domains but you want the OPPOSITE precedence
as for "David". Now, your requirement is toast -- completely
conflicting requirements -- and it is certainly possible and you have
no way to control it. This means that your requirement is conflicting
and cannot be reasonabaly implemented to survive over time.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

IIS7 on Server 2008 Domain Controller
IIS IWA no longer works after VS2008 SP1 installed
ASP Authentication on IIS 6.0 Windows 2003 Server 32bit help please
Problem processing SSL certificate response.
WEB app with OLE server works on WinXP & IIS5 but not on Server200
ASP can't use database on slave server
IIS Restrictions
How to use SSL host headers for multiple domains on the same serve
DDOS attack !
IIS / W2K3 URI Limits