"Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>I have a custom intranet that I have setup for our company.  The access is
>secured using IWA and when the site is access by server name
>(QSERVER\internal) the domain user's credentials are passed automatically
>and everything is fine.  This is good because we don't want internal users
>(people part of our domain) to have to enter a user/pass.
>
> However, one of the integrated ASP apps won't let us use an internal name
> because this intranet needs to be more of an extranet, so we have to use
> the FQDN.  Our domains aren't the same (.local for the QSERVER and a .com
> for the FQDN).  I've run "setspn -a host/www.oursite.com QSERVER" which I
> thought would allow requests from this host header to be passed with IWA,
> but it doesn't work.
>
> Our goal is to have ALL of our users, whether they are inside the office
> or outside, to use the same website address:
> http://www.oursite.com/internal but the internal users not have to enter a
> password, and all external users MUST enter one.  Any suggestions?
>
> Server 2003
> IIS6
> web server is a DC
>
> Thanks!
>
> C
>
>

> set the site to windows integrated authentication, this will allow the
> local users credentials to pass to the site. the outside users
> credentials will not pass thru, because they are not logged into the
> domain and are outside the firewall, assuming you are behind one. this
> will result in a login prompt, the only problem is they must supply
> the domain, username and password, unlike basic authentication, where
> you can supply the domain for them. also remember, if you are not
> using ssl, these credentials, from the outside, will be passed in
> clear text.
>
> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>
>> I have a custom intranet that I have setup for our company.  The
>> access is secured using IWA and when the site is access by server
>> name (QSERVER\internal) the domain user's credentials are passed
>> automatically and everything is fine.  This is good because we don't
>> want internal users (people part of our domain) to have to enter a
>> user/pass.
>>
>> However, one of the integrated ASP apps won't let us use an internal
>> name because this intranet needs to be more of an extranet, so we
>> have to use the FQDN.  Our domains aren't the same (.local for the
>> QSERVER and a .com for the FQDN).  I've run "setspn -a
>> host/www.oursite.com QSERVER" which I thought would allow requests
>> from this host header to be passed with IWA, but it doesn't work.
>>
>> Our goal is to have ALL of our users, whether they are inside the
>> office or outside, to use the same website address:
>> http://www.oursite.com/internal but the internal users not have to
>> enter a password, and all external users MUST enter one.  Any
>> suggestions?
>>
>> Server 2003
>> IIS6
>> web server is a DC
>> Thanks!
>>
>> C
>>

> Hello Consultant,
>
> I'm sorry I wasn't more clear.  When I referenced IWA, I was saying
> that the site IS using integrated windows auth.  However, from outside
> using a non NETBIOS name (FQDN) the password isn't accepted.  Thanks
> for your help!
>
> Craig
>
>> set the site to windows integrated authentication, this will allow
>> the local users credentials to pass to the site. the outside users
>> credentials will not pass thru, because they are not logged into the
>> domain and are outside the firewall, assuming you are behind one.
>> this will result in a login prompt, the only problem is they must
>> supply the domain, username and password, unlike basic
>> authentication, where you can supply the domain for them. also
>> remember, if you are not using ssl, these credentials, from the
>> outside, will be passed in clear text.
>>
>> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>
>>> I have a custom intranet that I have setup for our company.  The
>>> access is secured using IWA and when the site is access by server
>>> name (QSERVER\internal) the domain user's credentials are passed
>>> automatically and everything is fine.  This is good because we don't
>>> want internal users (people part of our domain) to have to enter a
>>> user/pass.
>>>
>>> However, one of the integrated ASP apps won't let us use an internal
>>> name because this intranet needs to be more of an extranet, so we
>>> have to use the FQDN.  Our domains aren't the same (.local for the
>>> QSERVER and a .com for the FQDN).  I've run "setspn -a
>>> host/www.oursite.com QSERVER" which I thought would allow requests
>>> from this host header to be passed with IWA, but it doesn't work.
>>>
>>> Our goal is to have ALL of our users, whether they are inside the
>>> office or outside, to use the same website address:
>>> http://www.oursite.com/internal but the internal users not have to
>>> enter a password, and all external users MUST enter one.  Any
>>> suggestions?
>>>
>>> Server 2003
>>> IIS6
>>> web server is a DC
>>> Thanks!
>>> C
>>>

"Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
news:46a1ae925f5b8c868463e11f41d@news.giganews.com...
>I take that back, that isn't exact.  When www.site.com is used with IWA
>enabled, instead of the netbios name, I am prompted for a U/P.  When the
>netbios name is used there is no U/P prompted.  (this is all on the
>internal network) I need to be able to use the public site name on the
>internal network and not get prompted for a password.  Externally since
>there is no connection for kerberos, I'm sure it will fail over to NTLM and
>ask for a U/P.  But why does the netbios name work and authenticate but the
>full website name does not?
>
>> Hello Consultant,
>>
>> I'm sorry I wasn't more clear.  When I referenced IWA, I was saying
>> that the site IS using integrated windows auth.  However, from outside
>> using a non NETBIOS name (FQDN) the password isn't accepted.  Thanks
>> for your help!
>>
>> Craig
>>
>>> set the site to windows integrated authentication, this will allow
>>> the local users credentials to pass to the site. the outside users
>>> credentials will not pass thru, because they are not logged into the
>>> domain and are outside the firewall, assuming you are behind one.
>>> this will result in a login prompt, the only problem is they must
>>> supply the domain, username and password, unlike basic
>>> authentication, where you can supply the domain for them. also
>>> remember, if you are not using ssl, these credentials, from the
>>> outside, will be passed in clear text.
>>>
>>> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
>>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>>
>>>> I have a custom intranet that I have setup for our company.  The
>>>> access is secured using IWA and when the site is access by server
>>>> name (QSERVER\internal) the domain user's credentials are passed
>>>> automatically and everything is fine.  This is good because we don't
>>>> want internal users (people part of our domain) to have to enter a
>>>> user/pass.
>>>>
>>>> However, one of the integrated ASP apps won't let us use an internal
>>>> name because this intranet needs to be more of an extranet, so we
>>>> have to use the FQDN.  Our domains aren't the same (.local for the
>>>> QSERVER and a .com for the FQDN).  I've run "setspn -a
>>>> host/www.oursite.com QSERVER" which I thought would allow requests
>>>> from this host header to be passed with IWA, but it doesn't work.
>>>>
>>>> Our goal is to have ALL of our users, whether they are inside the
>>>> office or outside, to use the same website address:
>>>> http://www.oursite.com/internal but the internal users not have to
>>>> enter a password, and all external users MUST enter one.  Any
>>>> suggestions?
>>>>
>>>> Server 2003
>>>> IIS6
>>>> web server is a DC
>>>> Thanks!
>>>> C
>>>>
>
>

> well, internet explorer see's the fqdn as a non trusted internet site
> and won't pass the credentials. try adding the fqdn as a trusted site,
> this should allow the credentials to be passed.
>
> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
> news:46a1ae925f5b8c868463e11f41d@news.giganews.com...
>
>> I take that back, that isn't exact.  When www.site.com is used with
>> IWA enabled, instead of the netbios name, I am prompted for a U/P.
>> When the netbios name is used there is no U/P prompted.  (this is all
>> on the internal network) I need to be able to use the public site
>> name on the internal network and not get prompted for a password.
>> Externally since there is no connection for kerberos, I'm sure it
>> will fail over to NTLM and ask for a U/P.  But why does the netbios
>> name work and authenticate but the full website name does not?
>>
>>> Hello Consultant,
>>>
>>> I'm sorry I wasn't more clear.  When I referenced IWA, I was saying
>>> that the site IS using integrated windows auth.  However, from
>>> outside using a non NETBIOS name (FQDN) the password isn't accepted.
>>> Thanks for your help!
>>>
>>> Craig
>>>
>>>> set the site to windows integrated authentication, this will allow
>>>> the local users credentials to pass to the site. the outside users
>>>> credentials will not pass thru, because they are not logged into
>>>> the domain and are outside the firewall, assuming you are behind
>>>> one. this will result in a login prompt, the only problem is they
>>>> must supply the domain, username and password, unlike basic
>>>> authentication, where you can supply the domain for them. also
>>>> remember, if you are not using ssl, these credentials, from the
>>>> outside, will be passed in clear text.
>>>>
>>>> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
>>>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>>>
>>>>> I have a custom intranet that I have setup for our company.  The
>>>>> access is secured using IWA and when the site is access by server
>>>>> name (QSERVER\internal) the domain user's credentials are passed
>>>>> automatically and everything is fine.  This is good because we
>>>>> don't want internal users (people part of our domain) to have to
>>>>> enter a user/pass.
>>>>>
>>>>> However, one of the integrated ASP apps won't let us use an
>>>>> internal name because this intranet needs to be more of an
>>>>> extranet, so we have to use the FQDN.  Our domains aren't the same
>>>>> (.local for the QSERVER and a .com for the FQDN).  I've run
>>>>> "setspn -a host/www.oursite.com QSERVER" which I thought would
>>>>> allow requests from this host header to be passed with IWA, but it
>>>>> doesn't work.
>>>>>
>>>>> Our goal is to have ALL of our users, whether they are inside the
>>>>> office or outside, to use the same website address:
>>>>> http://www.oursite.com/internal but the internal users not have to
>>>>> enter a password, and all external users MUST enter one.  Any
>>>>> suggestions?
>>>>>
>>>>> Server 2003
>>>>> IIS6
>>>>> web server is a DC
>>>>> Thanks!
>>>>> C

"Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
news:46a1ae9261c28c868de7b273470@news.giganews.com...
> Hello Consultant,
>
> I added the site to IE's trusted list and tried the portion that has IWA
> enabled and it still asks for a U/P.  Any other hints or tips?
>
>> well, internet explorer see's the fqdn as a non trusted internet site
>> and won't pass the credentials. try adding the fqdn as a trusted site,
>> this should allow the credentials to be passed.
>>
>> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
>> news:46a1ae925f5b8c868463e11f41d@news.giganews.com...
>>
>>> I take that back, that isn't exact.  When www.site.com is used with
>>> IWA enabled, instead of the netbios name, I am prompted for a U/P.
>>> When the netbios name is used there is no U/P prompted.  (this is all
>>> on the internal network) I need to be able to use the public site
>>> name on the internal network and not get prompted for a password.
>>> Externally since there is no connection for kerberos, I'm sure it
>>> will fail over to NTLM and ask for a U/P.  But why does the netbios
>>> name work and authenticate but the full website name does not?
>>>
>>>> Hello Consultant,
>>>>
>>>> I'm sorry I wasn't more clear.  When I referenced IWA, I was saying
>>>> that the site IS using integrated windows auth.  However, from
>>>> outside using a non NETBIOS name (FQDN) the password isn't accepted.
>>>> Thanks for your help!
>>>>
>>>> Craig
>>>>
>>>>> set the site to windows integrated authentication, this will allow
>>>>> the local users credentials to pass to the site. the outside users
>>>>> credentials will not pass thru, because they are not logged into
>>>>> the domain and are outside the firewall, assuming you are behind
>>>>> one. this will result in a login prompt, the only problem is they
>>>>> must supply the domain, username and password, unlike basic
>>>>> authentication, where you can supply the domain for them. also
>>>>> remember, if you are not using ssl, these credentials, from the
>>>>> outside, will be passed in clear text.
>>>>>
>>>>> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
>>>>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>>>>
>>>>>> I have a custom intranet that I have setup for our company.  The
>>>>>> access is secured using IWA and when the site is access by server
>>>>>> name (QSERVER\internal) the domain user's credentials are passed
>>>>>> automatically and everything is fine.  This is good because we
>>>>>> don't want internal users (people part of our domain) to have to
>>>>>> enter a user/pass.
>>>>>>
>>>>>> However, one of the integrated ASP apps won't let us use an
>>>>>> internal name because this intranet needs to be more of an
>>>>>> extranet, so we have to use the FQDN.  Our domains aren't the same
>>>>>> (.local for the QSERVER and a .com for the FQDN).  I've run
>>>>>> "setspn -a host/www.oursite.com QSERVER" which I thought would
>>>>>> allow requests from this host header to be passed with IWA, but it
>>>>>> doesn't work.
>>>>>>
>>>>>> Our goal is to have ALL of our users, whether they are inside the
>>>>>> office or outside, to use the same website address:
>>>>>> http://www.oursite.com/internal but the internal users not have to
>>>>>> enter a password, and all external users MUST enter one.  Any
>>>>>> suggestions?
>>>>>>
>>>>>> Server 2003
>>>>>> IIS6
>>>>>> web server is a DC
>>>>>> Thanks!
>>>>>> C
>
>

> Hi,
>
> Add it to the Intranet zone, not Trusted Sites. See:
> http://support.microsoft.com/?id=258063
>
> You will also be prompted if automatic logon fails because:
> a) the currently logged on user does not have access
> b) the configured authentication mechanism is failing (e.g. you are
> using
> Kerberos and you can't access the DC, or you are using NTLM but you
> are
> going through a proxy server, or HTTP Keep-Alives are not enabled)
> Cheers
> Ken
> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
> news:46a1ae9261c28c868de7b273470@news.giganews.com...
>
>> Hello Consultant,
>>
>> I added the site to IE's trusted list and tried the portion that has
>> IWA enabled and it still asks for a U/P.  Any other hints or tips?
>>
>>> well, internet explorer see's the fqdn as a non trusted internet
>>> site and won't pass the credentials. try adding the fqdn as a
>>> trusted site, this should allow the credentials to be passed.
>>>
>>> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
>>> news:46a1ae925f5b8c868463e11f41d@news.giganews.com...
>>>
>>>> I take that back, that isn't exact.  When www.site.com is used with
>>>> IWA enabled, instead of the netbios name, I am prompted for a U/P.
>>>> When the netbios name is used there is no U/P prompted.  (this is
>>>> all on the internal network) I need to be able to use the public
>>>> site name on the internal network and not get prompted for a
>>>> password. Externally since there is no connection for kerberos, I'm
>>>> sure it will fail over to NTLM and ask for a U/P.  But why does the
>>>> netbios name work and authenticate but the full website name does
>>>> not?
>>>>
>>>>> Hello Consultant,
>>>>>
>>>>> I'm sorry I wasn't more clear.  When I referenced IWA, I was
>>>>> saying that the site IS using integrated windows auth.  However,
>>>>> from outside using a non NETBIOS name (FQDN) the password isn't
>>>>> accepted. Thanks for your help!
>>>>>
>>>>> Craig
>>>>>
>>>>>> set the site to windows integrated authentication, this will
>>>>>> allow the local users credentials to pass to the site. the
>>>>>> outside users credentials will not pass thru, because they are
>>>>>> not logged into the domain and are outside the firewall, assuming
>>>>>> you are behind one. this will result in a login prompt, the only
>>>>>> problem is they must supply the domain, username and password,
>>>>>> unlike basic authentication, where you can supply the domain for
>>>>>> them. also remember, if you are not using ssl, these credentials,
>>>>>> from the outside, will be passed in clear text.
>>>>>>
>>>>>> "Craig Carrigan" <cr***@userfriendlyhhi.com> wrote in message
>>>>>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>>>>>
>>>>>>> I have a custom intranet that I have setup for our company.  The
>>>>>>> access is secured using IWA and when the site is access by
>>>>>>> server name (QSERVER\internal) the domain user's credentials are
>>>>>>> passed automatically and everything is fine.  This is good
>>>>>>> because we don't want internal users (people part of our domain)
>>>>>>> to have to enter a user/pass.
>>>>>>>
>>>>>>> However, one of the integrated ASP apps won't let us use an
>>>>>>> internal name because this intranet needs to be more of an
>>>>>>> extranet, so we have to use the FQDN.  Our domains aren't the
>>>>>>> same (.local for the QSERVER and a .com for the FQDN).  I've run
>>>>>>> "setspn -a host/www.oursite.com QSERVER" which I thought would
>>>>>>> allow requests from this host header to be passed with IWA, but
>>>>>>> it doesn't work.
>>>>>>>
>>>>>>> Our goal is to have ALL of our users, whether they are inside
>>>>>>> the office or outside, to use the same website address:
>>>>>>> http://www.oursite.com/internal but the internal users not have
>>>>>>> to enter a password, and all external users MUST enter one.  Any
>>>>>>> suggestions?
>>>>>>>
>>>>>>> Server 2003
>>>>>>> IIS6
>>>>>>> web server is a DC
>>>>>>> Thanks!
>>>>>>> C