jonhagger
asked on
IIS Service
My company are migrating to a new Domain. There is a 2 way trust setup between the old Domain A and the new Domain B.
I've installed a IIS server on the new Domain B. When users from the old Domain A try to access the site it's running they get error "No Authority could be contacted to authorisation".
I've tried mapping to a machine on the new Domain and get message there are no logon servers availaible to service the request.
The web site running on the new IIS server cannot have anonymous access as it needs to use the windows login for users on the new Domain to function.
Anyone know how i can set it up so users on the old domain can access this resouce?
I've installed a IIS server on the new Domain B. When users from the old Domain A try to access the site it's running they get error "No Authority could be contacted to authorisation".
I've tried mapping to a machine on the new Domain and get message there are no logon servers availaible to service the request.
The web site running on the new IIS server cannot have anonymous access as it needs to use the windows login for users on the new Domain to function.
Anyone know how i can set it up so users on the old domain can access this resouce?
ASKER
They're not prompted for a username/password. Just fails straight away!
Are your users not required to log onto their computers?
To turn on logging on a Web site, follow these steps:
1. Start the Internet Information Services Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services.
2. Double-click your server_name, where server_name is the name of the server.
3. Expand the Web Site folder.
4. Right-click the Web site for which you want to turn on logging, and then click Properties.
5. On the Website tab, select Enable Logging.
Note Both Enable Logging on the Website tab and Log visits on the Home Directory Tab must be checked for logging to be enabled.
6. Select a format in the Active log format list.
7. Click Properties.
8. On the General tab, select the way that you want to schedule the logging or change the Log file folder. For more information, see the Configuration Options for Saving IIS Log Files section of this article.
9. Click the Advanced tab, and then click the items that you want to monitor in the log.NOTE: If you select ODBC logging, click Properties, provide the ODBC Data Source Name (DSN), table, user name, and password, and then click OK.
10. Click OK.
--------------------------
Now Restart IIS on Domain B
Try to enter. Now copy back the IIS LOG here.
Find the log here: C:\winnt\System32\LogFiles
1. Start the Internet Information Services Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services.
2. Double-click your server_name, where server_name is the name of the server.
3. Expand the Web Site folder.
4. Right-click the Web site for which you want to turn on logging, and then click Properties.
5. On the Website tab, select Enable Logging.
Note Both Enable Logging on the Website tab and Log visits on the Home Directory Tab must be checked for logging to be enabled.
6. Select a format in the Active log format list.
7. Click Properties.
8. On the General tab, select the way that you want to schedule the logging or change the Log file folder. For more information, see the Configuration Options for Saving IIS Log Files section of this article.
9. Click the Advanced tab, and then click the items that you want to monitor in the log.NOTE: If you select ODBC logging, click Properties, provide the ODBC Data Source Name (DSN), table, user name, and password, and then click OK.
10. Click OK.
--------------------------
Now Restart IIS on Domain B
Try to enter. Now copy back the IIS LOG here.
Find the log here: C:\winnt\System32\LogFiles
IIS6 Windows 2003 ?
This is definitely a problem that occurs when authenitcation happens via a Trusted Domain
Check out Authentication and Access Control Diagnostics 1.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en
Authentication and authorization failures are common on Internet Information Services (IIS) platforms. AuthDiag is a tool designed to aid customers in effectively troubleshooting and determining the root cause of the problem.
Check out Authentication and Access Control Diagnostics 1.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en
Authentication and authorization failures are common on Internet Information Services (IIS) platforms. AuthDiag is a tool designed to aid customers in effectively troubleshooting and determining the root cause of the problem.
ASKER
The server is W2k3 with IIS6. I've enabled the logging but the connection attempts don't show.
When i tested with anonmous access from the old domain were able to access OK but it used the local IIS machine account (this attempt shows up in the logs).
DVT - where do i need to run the tool? on the IIS server or on the client?
Thanks
When i tested with anonmous access from the old domain were able to access OK but it used the local IIS machine account (this attempt shows up in the logs).
DVT - where do i need to run the tool? on the IIS server or on the client?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I logged onto the IIS server locally (off DOMAIN) and ran tool. Error reported : Service principal name (SPN) for machine 'servername' not found in Active Directory. Can this be related?
ASKER
Is there a way to force IE to prompt for a username and password when loading the site?
That is exactly the problems that you're looking for.
Heres some steps to fix that error.
http://support.dspanel.com/help43/Server_Configuration/Delegation.htm
Heres some steps to fix that error.
http://support.dspanel.com/help43/Server_Configuration/Delegation.htm
ASKER
I've got WINS dynamic registration allowed on the WINS server and the host files for the PDC are present on the old domain PDC WINS :(
When you specifically name the domain (before your network name), you can force the authentication to that domain.
Good Luck,
Vic