Need help with cross-domain IIS authentication

Posted on 2009-02-18
Last Modified: 2013-04-26
Hi, I have two Windows2003 AD domains with a two way trust between them.

In domain A I have a website which I only want specific security groups in each domain to be able to view.
The whole point is that I don't want users in either domain to be prompted for credentials when they visit the site. If they are logged in to the domain then they should be automatically authenticated.

On the IIS server in domain A, I have configured the website to use integrated Windows authentication" and disabled anonymous access.

I then added the approved security groups from Domain A and Domain B to the permissions list of the website.

The solution works well in Domain A. If you are in the correct security group then the website loads automatically.

However in Domain B, the user is prompted regardless of the fact that they are in an approved security group in IIS.

How do I have then authenticate automatically?
Question by:susnewyork
    LVL 82

    Accepted Solution

    To start with, especially if you're implementing cross-domain authentication, use the AGDLP model (; create (domain) local groups in the resource domain (with the IIS), assign permissions to this group, and add the global groups from the domains to these domain local groups.
    Anyway, the problem at hand is probably that the other domain doesn't see your domain name as intranet, and is not sending credentials automatically.
    So in the other domain, at least your IIS needs to be added to the "Local Intranet" zone; in this zone, the security setting for automatic logon is by default set to "Send logon information only in the intranet zone" (or similar).

    Expert Comment

    Excellent answer. Solved my problem. Not sure I would have checked for  Local Intranet Zone

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video discusses moving either the default database or any database to a new volume.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now