We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Need help with cross-domain IIS authentication

Medium Priority
1,208 Views
Last Modified: 2013-04-26
Hi, I have two Windows2003 AD domains with a two way trust between them.

In domain A I have a website which I only want specific security groups in each domain to be able to view.
The whole point is that I don't want users in either domain to be prompted for credentials when they visit the site. If they are logged in to the domain then they should be automatically authenticated.

On the IIS server in domain A, I have configured the website to use integrated Windows authentication" and disabled anonymous access.

I then added the approved security groups from Domain A and Domain B to the permissions list of the website.

The solution works well in Domain A. If you are in the correct security group then the website loads automatically.

However in Domain B, the user is prompted regardless of the fact that they are in an approved security group in IIS.

How do I have then authenticate automatically?
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
To start with, especially if you're implementing cross-domain authentication, use the AGDLP model (http://en.wikipedia.org/wiki/AGDLP); create (domain) local groups in the resource domain (with the IIS), assign permissions to this group, and add the global groups from the domains to these domain local groups.
Anyway, the problem at hand is probably that the other domain doesn't see your domain name as intranet, and is not sending credentials automatically.
So in the other domain, at least your IIS needs to be added to the "Local Intranet" zone; in this zone, the security setting for automatic logon is by default set to "Send logon information only in the intranet zone" (or similar).

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Excellent answer. Solved my problem. Not sure I would have checked for  Local Intranet Zone
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.