I have a Windows 2003/IIS 6.0 application running on a machine that is a
member of the domain but is not a domain controller.

If a user goes to this site and fills in their unqualified user name (i.e.
without a domain name), the authenticeation fails (as the IIS tries to
authenticate against the local accounts) and the logon screen reappears with
servername.mydomain.com\ appended infront of the user name, forcing the user
to know to delete the 'servername.'.

How can I get IIS to always attempt to authenticate against the main domain,
instead of its local accounts database?

Show quote Hide quote If you're using Windows Integrated authentication, why have the users
prompted at all?
http://support.microsoft.com/?id=258063

I have the same problem as Jonathan. And I have boths authenticated users
comming from the intranet and people from home logging on through a NAT in
the firewall. I will try to explain further:

The maschine is dt1 (on the domain), the website is vt and the domain is
intranet. From the inside, if authenticated users go to http://dt1/vt  they
are on and everything is fine. This website is actually a virtual directory
on the default website.

Now I would like users to use the app (IssueTracker) from home. Here they
are not authenticated and should be prompted for their domain credentials.
The address is issuetracker.comp.dk and they first have to supply
username/password to get nat'ed through the firewall. The firewall redirects
to the IP of dt1.

To catch these request I have set up a new website on dt1 with hostheader.
Same path to the app and same security settings.
I have not tried it from outside yet, but using this new website from the
inside now prompts the already authenticated users? As is it does not
recognize the authenticated users? Is that due to a outsite address
(issuetracker.comp.dk)?
Furthermore, when supplying the credentials, the user is rejected with the
issuetracker.comp.dk/username in the new password prompt. If they replace
issuetracker.comp.dk with intranet, he's in.

So I'm back to Jonathans question: Why is dt1 not using the domain as
default?
I will get back with info of how the thing behaves from the outside.

At last (if still not clear) I would like to have all users use the
issuetracker.comp.dk address and of course; the inside users get right in,
the home users supply their domain credentials (but without intranet\....)

Thanks in advance!




Show quoteHide quote

If this is an intranet environment you should be able to avoid logon
prompting alothgether with the following:

1)  Enable Integrated Windows Authentication  (disable anonymous).
2)  Browsers (IE) security should be set, for local intranet zone, for
automatic logon only in intranet  (this is the default setting)
3)  Security for the folder/directory which contains the web site (set from
windows explorer)  should include "Authenticated Users"  (You could use
specific domain users or groups is you need to be more restrictive).

The third item above is probably all you are missing.


I have a Windows 2003/IIS 6.0 application running on a machine that is a
member of the domain but is not a domain controller.

If a user goes to this site and fills in their unqualified user name (i.e.
without a domain name), the authenticeation fails (as the IIS tries to
authenticate against the local accounts) and the logon screen reappears with
servername.mydomain.com\ appended infront of the user name, forcing the user
to know to delete the 'servername.'.

How can I get IIS to always attempt to authenticate against the main domain,
instead of its local accounts database?

IIS authentification with a ASP Application on a SAMBA host
IIS6 NT Authentication fails
http to https redirect problem
SSL Issue - Urgent
IIS 5 - Integrated Windows Authentication Issues
How to create a Client certificate
secure ftp
firewall suggestions?
Running IIS MMC from workstation
Not authorized to view page IIS5