Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 490
  • Last Modified:

IIS 6 integtrated authentication without specifying domain

We have a SharePoint 2003 server in a multi-domain forest, and admins would like users to be able to log in without specifying their domain when coming in over the WAN. We have SSO working, so on the LAN this is not an issue. This apparently was a feature available in IIS4/5 with Basic Authentication, by hard-coding "\" as the default domain in the metabase. Well, now we are talking IIS 6 with Integrated Windows Authentication, and I do not see yet how this could be done. Basic Authentication is not an option. Since UPNs are unique in the forest, they reason, there shouldn't be a need to specify domain. This makes sense, but again does not appear so far to be a feature

So, to wrap the question a little tighter, is there a way users can log into WSS 2003 as Username or Username@forest.com, without specifying their child domain?

Cheers,
Dan
0
CGNET-TE
Asked:
CGNET-TE
  • 3
1 Solution
 
Dave_DietzCommented:
No.

Dave Dietz
0
 
meverestCommented:
that's what i like to see: a definitive answer! ;-D
0
 
Dave_DietzCommented:
Dealt with a similar issue recently.

NTLM authentication requires the domain name as part of the user token.  There is no way around this.

The workaround for Basic basically forced IIS to check the UserID/Password against all trusted domains until it found one that accepted the pair as valid.  This is not an available option for NTLM.

I'd mention Kerberos but Sharepoint disables Kerberos authentication in IIS when it is installed, and if the clients are being prompted for credentials when logging into a site using NTLM then there is no way Kerberos would work even if it was re-enabled.

Dave Dietz
0
 
CGNET-TEAuthor Commented:
I've also dealt with enabling Kerberos, as an adjunct to SSO. The documentation for WSS 2003 was bad enough, and trying to decifer the kerberos requirements for Server Principle Name was more of the same.

What about UPN used for network logon? Does that not use NTLM?

Dan
0
 
Dave_DietzCommented:
No, it doesn't.  UPN logon uses a different code path than NTLM and while it's functionality is similar it does not actually use NTLM, at least not when used to authenticate via IIS.

Dave Dietz
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now