ISIS2004
asked on
IIS 5 Authentication Problem -- Servername\Username in logon prompt
Hi there.
We have an IIS 5-based intranet Web site running on a Windows 2000 Server domain member server. The Intranet virtual directory is configured for SSL, Basic Authentication (with a default domain specified) and Integrated Windows Authentication.
When users log in with the Domain name\Username syntax at the login box, they can login just fine. However, if the users try to login with only their domain user name, IIS shoots back the logon box pre-filled in with:
Servername\username
The server name is fully qualified. That is to say:
Server01.company.com\joeus
This strikes me as very, very weird.
I scoured the metabase by using the metabase editor. I found some traces to the referenced servername path in the SMTP properties and I nuked 'em because we aren't running SMTP on the IIS server. No help, though.
I also scoured the Registry for traces of the servername--nothing. I don't know why IIS thinks it should be pointing to the local computer instead of our domain controller. As I said earlier, if users manually type in Domainname\Username they can log in fine. However, as you network admins know, the less we have to instruct our users to do themselves manually, the better. :)
Thanks in advance,
Tim
We have an IIS 5-based intranet Web site running on a Windows 2000 Server domain member server. The Intranet virtual directory is configured for SSL, Basic Authentication (with a default domain specified) and Integrated Windows Authentication.
When users log in with the Domain name\Username syntax at the login box, they can login just fine. However, if the users try to login with only their domain user name, IIS shoots back the logon box pre-filled in with:
Servername\username
The server name is fully qualified. That is to say:
Server01.company.com\joeus
This strikes me as very, very weird.
I scoured the metabase by using the metabase editor. I found some traces to the referenced servername path in the SMTP properties and I nuked 'em because we aren't running SMTP on the IIS server. No help, though.
I also scoured the Registry for traces of the servername--nothing. I don't know why IIS thinks it should be pointing to the local computer instead of our domain controller. As I said earlier, if users manually type in Domainname\Username they can log in fine. However, as you network admins know, the less we have to instruct our users to do themselves manually, the better. :)
Thanks in advance,
Tim
alimu
Next to where you allow basic authentication in IIS management console is a button you click to set the default domain for authentication - do you have a specific domain set there?
ASKER
Yeah--I've added the non-qualified name of our domain.
Eg: COMPANY rather than COMPANY.COM
Eg: COMPANY rather than COMPANY.COM
Hi,
the defaulkt domain should be the windows domain (if it is different to the internet domain)
i.e. for "Domain name\Username", enter the "Domain name" part as default domain.
cheers.
the defaulkt domain should be the windows domain (if it is different to the internet domain)
i.e. for "Domain name\Username", enter the "Domain name" part as default domain.
cheers.
ASKER
Actually, not to split hairs here, but that is what we have done.
For example:
Web server: SERVER01.DOMAIN.COMPANY.CO
We used DOMAIN as the default domain name for Basic Authentication.
However, in the logon prompt for the SSL-secured page the users see
SERVER01.DOMAIN.COMPANY.CO
in the username field instead of
DOMAIN.COMPANY.COM\usernam
or simply
DOMAIN\username
Thanks,
Tim
For example:
Web server: SERVER01.DOMAIN.COMPANY.CO
We used DOMAIN as the default domain name for Basic Authentication.
However, in the logon prompt for the SSL-secured page the users see
SERVER01.DOMAIN.COMPANY.CO
in the username field instead of
DOMAIN.COMPANY.COM\usernam
or simply
DOMAIN\username
Thanks,
Tim
ok,
what about using windows integrated auth - disable plain text authentication, then the ie browser will just send the credentials used to log on to the local AD domain by default.
cheers, Mike.
what about using windows integrated auth - disable plain text authentication, then the ie browser will just send the credentials used to log on to the local AD domain by default.
cheers, Mike.
ASKER
Well, you know we tried enabling only the Windows Integrated Authentication (and disabling the Basic Authentication). However, the logon box still gave the servername\username deal in the logon box.
Should we have bounced the IIS server? I didn' t think it was necessary, but maybe we should have tried that...
Should we have bounced the IIS server? I didn' t think it was necessary, but maybe we should have tried that...
Hi,
no - you needn't bounce the server to apply those changes.
is the iis server associated with the windows domain at all? try adding the server to the AD domain regime.
Cheers.
no - you needn't bounce the server to apply those changes.
is the iis server associated with the windows domain at all? try adding the server to the AD domain regime.
Cheers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, alimu. The bottom line is that I need to instruct my users to submit their credentials as domain\user or username@domain, as you said.
-Tim
-Tim
that's correct - if they're getting a logon box this is the case.
With integrated authentication they shouldn't get prompted for credentials unless they are in a different domain to the server. If you've got a single domain for clients & web server, users still getting prompted would indicate an NTFS permission problem on the web server files or possibly a client side issue.
With integrated authentication they shouldn't get prompted for credentials unless they are in a different domain to the server. If you've got a single domain for clients & web server, users still getting prompted would indicate an NTFS permission problem on the web server files or possibly a client side issue.