IIS 6 integtrated authentication without specifying domain

Posted on 2005-03-29
Medium Priority
Last Modified: 2008-02-26
We have a SharePoint 2003 server in a multi-domain forest, and admins would like users to be able to log in without specifying their domain when coming in over the WAN. We have SSO working, so on the LAN this is not an issue. This apparently was a feature available in IIS4/5 with Basic Authentication, by hard-coding "\" as the default domain in the metabase. Well, now we are talking IIS 6 with Integrated Windows Authentication, and I do not see yet how this could be done. Basic Authentication is not an option. Since UPNs are unique in the forest, they reason, there shouldn't be a need to specify domain. This makes sense, but again does not appear so far to be a feature

So, to wrap the question a little tighter, is there a way users can log into WSS 2003 as Username or Username@forest.com, without specifying their child domain?

Question by:CGNET-TE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 34

Expert Comment

ID: 13658141

Dave Dietz
LVL 37

Expert Comment

ID: 13658225
that's what i like to see: a definitive answer! ;-D
LVL 34

Expert Comment

ID: 13658295
Dealt with a similar issue recently.

NTLM authentication requires the domain name as part of the user token.  There is no way around this.

The workaround for Basic basically forced IIS to check the UserID/Password against all trusted domains until it found one that accepted the pair as valid.  This is not an available option for NTLM.

I'd mention Kerberos but Sharepoint disables Kerberos authentication in IIS when it is installed, and if the clients are being prompted for credentials when logging into a site using NTLM then there is no way Kerberos would work even if it was re-enabled.

Dave Dietz

Author Comment

ID: 13658619
I've also dealt with enabling Kerberos, as an adjunct to SSO. The documentation for WSS 2003 was bad enough, and trying to decifer the kerberos requirements for Server Principle Name was more of the same.

What about UPN used for network logon? Does that not use NTLM?

LVL 34

Accepted Solution

Dave_Dietz earned 1500 total points
ID: 13659308
No, it doesn't.  UPN logon uses a different code path than NTLM and while it's functionality is similar it does not actually use NTLM, at least not when used to authenticate via IIS.

Dave Dietz

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question