Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IIS Basic Authentication in Cross Realm Environment

Posted on 2007-11-30
4
Medium Priority
?
1,459 Views
Last Modified: 2013-11-05
Hi,

Situation:
- I have a Windows 2003 Active Directory Server for DOMAIN1.
- It is also configured for cross realm authentication on DOMAIN2 with a user mapping from *.DOMAIN2 to *.DOMAIN1.
- An account for User1 is present is both domains.

What is working:
When I log on through RDP from a non-domain computer to the Active Directory with the DOMAIN2 credentials of User1, the authentication succeeds.

Problem:
When I configure IIS for Basic Authentication, and set the default domain to DOMAIN2, the authentication fails with a 401 error. When I sniff the kerberos traffic however, I can see a successful authentication to the DOMAIN2 KDC. When using the DOMAIN1 credentials for User1, the authentication succeeds.

Question:
How can I achieve cross realm authentication in IIS?

Thanks is advance!

0
Comment
Question by:CuSo4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 2000 total points
ID: 20387721
> How can I achieve cross realm authentication ..
you cannot 'cause the browser does not allow to violate cross-domain authentication 'cause of security reasons

> .. in IIS
it's not a web server but a client (browser) issue, see above
0
 
LVL 2

Author Comment

by:CuSo4
ID: 20387767
Hi,
Thanks for the feedback!

I understand that the client will not perform kerberos authentication in a non-intranet environment.
However, what I am trying to achieve is that the client uses basic authentication (over ssl) to authenticate to the web server on DOMAIN1, and that the server on DOMAIN1 checks the credentials through kerberos with DOMAIN2.

I think a similar form of authentication is used when I connect using Remote Desktop from a non-intranet PC to the server on DOMAIN1, so I believe the same should be possible for IIS authentication...
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question