[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1131
  • Last Modified:

Need help with cross-domain IIS authentication

Hi, I have two Windows2003 AD domains with a two way trust between them.

In domain A I have a website which I only want specific security groups in each domain to be able to view.
The whole point is that I don't want users in either domain to be prompted for credentials when they visit the site. If they are logged in to the domain then they should be automatically authenticated.

On the IIS server in domain A, I have configured the website to use integrated Windows authentication" and disabled anonymous access.

I then added the approved security groups from Domain A and Domain B to the permissions list of the website.

The solution works well in Domain A. If you are in the correct security group then the website loads automatically.

However in Domain B, the user is prompted regardless of the fact that they are in an approved security group in IIS.

How do I have then authenticate automatically?
1 Solution
To start with, especially if you're implementing cross-domain authentication, use the AGDLP model (http://en.wikipedia.org/wiki/AGDLP); create (domain) local groups in the resource domain (with the IIS), assign permissions to this group, and add the global groups from the domains to these domain local groups.
Anyway, the problem at hand is probably that the other domain doesn't see your domain name as intranet, and is not sending credentials automatically.
So in the other domain, at least your IIS needs to be added to the "Local Intranet" zone; in this zone, the security setting for automatic logon is by default set to "Send logon information only in the intranet zone" (or similar).
Excellent answer. Solved my problem. Not sure I would have checked for  Local Intranet Zone

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now