|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Windows Integrated Authentication on standalone serverHi.
I wish to use Windows Integrated Authentication in IIS to authenticate users logging on. The problem is that the web server is a standalone server located in DMZ, and I wish to authenticate using domain accounts. Am I right to assume that this is not possible, as long as the web server is not in a domain trusted by the domain users are authenticated with, or member of that domain ? Will the only solution then be, to add the web server to a new domain, and trust that domain (or add it to the already existing domain.) ? Any help is greatly appreciated. Thanks! - Oyvind
Show quote
Hide quote
"Oyvind" <oyvind@nospam.no> wrote in message The whole point of Windows Integrated authentication is to use a domain.news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl... > Hi. > > I wish to use Windows Integrated Authentication in IIS to authenticate > users logging on. The problem is that the web server is a standalone > server located in DMZ, and I wish to authenticate using domain accounts. > > Am I right to assume that this is not possible, as long as the web server > is not in a domain trusted by the domain users are authenticated with, or > member of that domain ? > > Will the only solution then be, to add the web server to a new domain, and > trust that domain (or add it to the already existing domain.) ? -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
Show quote
Hide quote
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message That's not true. IWA will work fine for accounts local to the webserver. news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl... : "Oyvind" <oyvind@nospam.no> wrote in message : news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl... : > Hi. : > : > I wish to use Windows Integrated Authentication in IIS to authenticate : > users logging on. The problem is that the web server is a standalone : > server located in DMZ, and I wish to authenticate using domain accounts. : > : > Am I right to assume that this is not possible, as long as the web server : > is not in a domain trusted by the domain users are authenticated with, or : > member of that domain ? : > : > Will the only solution then be, to add the web server to a new domain, and : > trust that domain (or add it to the already existing domain.) ? : : The whole point of Windows Integrated authentication is to use a domain. There is no requirement for a domain. Cheers Ken
Show quote
Hide quote
"Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message OK - what would be the benefit?news:OgnKJoTcFHA.3040@TK2MSFTNGP14.phx.gbl... > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message > news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl... > : "Oyvind" <oyvind@nospam.no> wrote in message > : news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl... > : > Hi. > : > > : > I wish to use Windows Integrated Authentication in IIS to authenticate > : > users logging on. The problem is that the web server is a standalone > : > server located in DMZ, and I wish to authenticate using domain > accounts. > : > > : > Am I right to assume that this is not possible, as long as the web > server > : > is not in a domain trusted by the domain users are authenticated with, > or > : > member of that domain ? > : > > : > Will the only solution then be, to add the web server to a new domain, > and > : > trust that domain (or add it to the already existing domain.) ? > : > : The whole point of Windows Integrated authentication is to use a domain. > > > That's not true. IWA will work fine for accounts local to the webserver. > There is no requirement for a domain.
Show quote
Hide quote
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message IWA describes a method of conveying a users credentials from the client to news:%23tUA0uacFHA.3204@TK2MSFTNGP12.phx.gbl... : "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message : news:OgnKJoTcFHA.3040@TK2MSFTNGP14.phx.gbl... : > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message : > news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl... : > : "Oyvind" <oyvind@nospam.no> wrote in message : > : news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl... : > : > Hi. : > : > : > : > I wish to use Windows Integrated Authentication in IIS to authenticate : > : > users logging on. The problem is that the web server is a standalone : > : > server located in DMZ, and I wish to authenticate using domain : > accounts. : > : > : > : > Am I right to assume that this is not possible, as long as the web : > server : > : > is not in a domain trusted by the domain users are authenticated with, : > or : > : > member of that domain ? : > : > : > : > Will the only solution then be, to add the web server to a new domain, : > and : > : > trust that domain (or add it to the already existing domain.) ? : > : : > : The whole point of Windows Integrated authentication is to use a domain. : > : > : > That's not true. IWA will work fine for accounts local to the webserver. : > There is no requirement for a domain. : : OK - what would be the benefit? the server (basically a way of having the client tell the server who the client is). As such, it competes with Basic and Digest authentication mechanisms. So Basic Auth can be used for local -or- domain accounts, and IWA can be used for local or domain accounts as well. Where/how the organisation manages the username/password store that the server has access to is a completely separate matter. The arguments regarding Domains -vs- Workgroup (local accounts) are the same regardless of whether you are using Basic, Digest or IWA (NTLM or Kerberos) authentication. [1] Cheers Ken [1] Well, there's a limitation in Windows that Digest can't be used with local accounts because an MD5 hash of the user's password can not be calculated for a local user (there is no facility for storing passwords with reversible encryption, and no facility for storing a pre-calculated hash). But that is not a limitation in either the Digest standard or IIS, but how the Windows local SAM was developed.
Show quote
Hide quote
"Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message Right - so what's the benefit if he's not in a domain?news:uKGMP7hcFHA.1448@TK2MSFTNGP14.phx.gbl... > > > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message > news:%23tUA0uacFHA.3204@TK2MSFTNGP12.phx.gbl... > : "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message > : news:OgnKJoTcFHA.3040@TK2MSFTNGP14.phx.gbl... > : > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message > : > news:%23G$vCnOcFHA.2124@TK2MSFTNGP14.phx.gbl... > : > : "Oyvind" <oyvind@nospam.no> wrote in message > : > : news:%23%23oENpLcFHA.3464@tk2msftngp13.phx.gbl... > : > : > Hi. > : > : > > : > : > I wish to use Windows Integrated Authentication in IIS to > authenticate > : > : > users logging on. The problem is that the web server is a > standalone > : > : > server located in DMZ, and I wish to authenticate using domain > : > accounts. > : > : > > : > : > Am I right to assume that this is not possible, as long as the web > : > server > : > : > is not in a domain trusted by the domain users are authenticated > with, > : > or > : > : > member of that domain ? > : > : > > : > : > Will the only solution then be, to add the web server to a new > domain, > : > and > : > : > trust that domain (or add it to the already existing domain.) ? > : > : > : > : The whole point of Windows Integrated authentication is to use a > domain. > : > > : > > : > That's not true. IWA will work fine for accounts local to the > webserver. > : > There is no requirement for a domain. > : > : OK - what would be the benefit? > > IWA describes a method of conveying a users credentials from the client to > the server (basically a way of having the client tell the server who the > client is). As such, it competes with Basic and Digest authentication > mechanisms. So Basic Auth can be used for local -or- domain accounts, and > IWA can be used for local or domain accounts as well. > > Where/how the organisation manages the username/password store that the > server has access to is a completely separate matter. The arguments > regarding Domains -vs- Workgroup (local accounts) are the same regardless > of > whether you are using Basic, Digest or IWA (NTLM or Kerberos) > authentication. [1] > > Cheers > Ken > > [1] Well, there's a limitation in Windows that Digest can't be used with > local accounts because an MD5 hash of the user's password can not be > calculated for a local user (there is no facility for storing passwords > with > reversible encryption, and no facility for storing a pre-calculated hash). > But that is not a limitation in either the Digest standard or IIS, but how > the Windows local SAM was developed. I wasn't saying it wouldn't work, just that the whole point was to use it in a domain where some of the benefits are 1) password doesn't get sent over the wire and 2) credentials can be passed in the background so the user doesn't get prompted. : ) -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS On Tue, 14 Jun 2005 10:25:07 +0200, Oyvind <oyvind@nospam.no> wrote:
>I wish to use Windows Integrated Authentication in IIS to authenticate Correct. That's basic Windows security.>users logging on. The problem is that the web server is a standalone >server located in DMZ, and I wish to authenticate using domain accounts. > >Am I right to assume that this is not possible, as long as the web >server is not in a domain trusted by the domain users are authenticated >with, or member of that domain ? >Will the only solution then be, to add the web server to a new domain, Yep. You also need to ensure a few more ports are open in the>and trust that domain (or add it to the already existing domain.) ? firewall for authentication. See: http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 Jeff On Tue, 14 Jun 2005 10:25:07 +0200, Oyvind <oyvind@nospam.no> wrote:
>Hi. Also look at:> >I wish to use Windows Integrated Authentication in IIS to authenticate >users logging on. The problem is that the web server is a standalone >server located in DMZ, and I wish to authenticate using domain accounts. > >Am I right to assume that this is not possible, as long as the web >server is not in a domain trusted by the domain users are authenticated >with, or member of that domain ? > >Will the only solution then be, to add the web server to a new domain, >and trust that domain (or add it to the already existing domain.) ? How to configure a firewall for domains and trusts: http://support.microsoft.com/default.aspx?scid=kb;en-us;179442 Jeff 
Other interesting topics
Problem w/ Integrated Auth -- Receiving User/Pass dialog box against IIS6
integrated vs basic Accessing Site as Anonymous ASP.NET app permissions 401.3 on IIS after SP1 Logging into website - remove log in box Win2003 Server/IIS 6.0 Anonymous Login not working Most secure solution for ftp (IIS?) Server attack - info please? Can't get rid of localstart.asp |
|||||||||||||||||||||||
