CGNET-TE
asked on
IIS 6 integtrated authentication without specifying domain
We have a SharePoint 2003 server in a multi-domain forest, and admins would like users to be able to log in without specifying their domain when coming in over the WAN. We have SSO working, so on the LAN this is not an issue. This apparently was a feature available in IIS4/5 with Basic Authentication, by hard-coding "\" as the default domain in the metabase. Well, now we are talking IIS 6 with Integrated Windows Authentication, and I do not see yet how this could be done. Basic Authentication is not an option. Since UPNs are unique in the forest, they reason, there shouldn't be a need to specify domain. This makes sense, but again does not appear so far to be a feature
So, to wrap the question a little tighter, is there a way users can log into WSS 2003 as Username or Username@forest.com, without specifying their child domain?
Cheers,
Dan
So, to wrap the question a little tighter, is there a way users can log into WSS 2003 as Username or Username@forest.com, without specifying their child domain?
Cheers,
Dan
that's what i like to see: a definitive answer! ;-D
Dealt with a similar issue recently.
NTLM authentication requires the domain name as part of the user token. There is no way around this.
The workaround for Basic basically forced IIS to check the UserID/Password against all trusted domains until it found one that accepted the pair as valid. This is not an available option for NTLM.
I'd mention Kerberos but Sharepoint disables Kerberos authentication in IIS when it is installed, and if the clients are being prompted for credentials when logging into a site using NTLM then there is no way Kerberos would work even if it was re-enabled.
Dave Dietz
NTLM authentication requires the domain name as part of the user token. There is no way around this.
The workaround for Basic basically forced IIS to check the UserID/Password against all trusted domains until it found one that accepted the pair as valid. This is not an available option for NTLM.
I'd mention Kerberos but Sharepoint disables Kerberos authentication in IIS when it is installed, and if the clients are being prompted for credentials when logging into a site using NTLM then there is no way Kerberos would work even if it was re-enabled.
Dave Dietz
ASKER
I've also dealt with enabling Kerberos, as an adjunct to SSO. The documentation for WSS 2003 was bad enough, and trying to decifer the kerberos requirements for Server Principle Name was more of the same.
What about UPN used for network logon? Does that not use NTLM?
Dan
What about UPN used for network logon? Does that not use NTLM?
Dan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dave Dietz