IIS6 - Local Domain Users Cannot Access Virtual Directory / Remote Domain Users Can

Posted on 2009-04-24
Last Modified: 2012-05-06
Hey eveyone,

I've got a boxed app called ReqLogic that installs, by default, under the default website on an IIS6 (W2k3) server in a W2k3 Forest / Domain called  Directory Security for the Virutal Directory on the site is "Integrated Windows Authentication."  The site itself is installed on 2 servers and inside and outside of the Default Web Site, and the results are the same.

Users in can access this problem...their Windows credentials are passed to the application and if they are a user, the Login screen takes those creds and passes them right in.  This is a older W2k Native Domain and the users actually cross into the new domain where the IIS6 server is to obtain the website.

***Problem - users that reside in the new domain with new W2k3 accounts in the W2k3 domain/forest can't access this Virtual Directory.  The webserver resides in the same domain as the user accounts, but we get the Event ID: 529 errors like Kerberos can't cross the domains.

Can anyone shed some light on this please.

Muchos Gracias!!!
Event ID: 529

Logon Failure:

                Reason:                  Unknown user name or bad password

                User Name:            


                Logon Type:            3

                Logon Process:      Kerberos

                Authentication Package:        Kerberos

                Workstation Name: -

                Caller User Name: -

                Caller Domain:       -

                Caller Logon ID:     -

                Caller Process ID:  -

                Transited Services:                -

                Source Network Address:

                Source Port:            2841

Open in new window

Question by:Team-PSO
    LVL 22

    Expert Comment

    This sounds like the application knows that it was installed in or is supposed to authenticate against oldDomain and has a reference in its configuration to that domain.

    Do you have a central database that the application connects to that holds configuration information where this might be configured?  Based on your description of the problem, this does not appear to be normal IIS authentication.

    Author Comment

    I've got a meeting tomorrow about it with my applications department...and I'll bring this up for sure.

    I'll post back :o)

    Thanks a lot,

    Author Comment

    Hey again,

    I made from progress with it.

    There were multiple websites (virtual directories) under the default website and we used a JScript to seperate then users based on what DNS name they came from...based on that...they would be forwarded to the appropriate sub-site (virtual directory).

    ***Remember from before - everything is fine if the user accounts come from the older W2k domain to the newer W2k3 domain where the website and server reside...if the user account is in the newer domain with the website and would not work before...UNTIL I forwarded the user to the IP and not the FQDN.

    So...I've made a DNS "A" record for "" that point to and when the user comes to it...the JS reads what URL they arrived from and forwards them.

    ***So the Question is - why do users that reside in the same domain/forest as the website and IIS server have problems accessing the site via FQDN and have to the IP of the server?

    Remember - the site uses "Integrated Windows Authentication" anonymous access to the virtual directory.

    Thanks again
    if( /http:\/\/rl-test\.mydomain\.int/i.test(location.href) ) 
         location.href = "";
         location.href = "";

    Open in new window


    Author Comment

    Can the JavaScript zone be added to this question please?
    Thanks a lot
    LVL 22

    Expert Comment

    Because the machines that are in the domain are probably just using the machine name and not the FQDN to access the server.  With the old machines/domains they would most likely need to use the full domain name to access the server where as machines in the same name will resolve it by default but the browser will still only pass the machine name unless they type in the full thing.

    Author Comment

    Thanks for the quick reply...but I'm testing it on a workstation that is in the same domain as the website/server with and account that is also in the same domain.

    I enter and the JavaScript forwards me to and it doesn't work.

    If I enter and the JavaScript forwards me to it works.
    LVL 22

    Assisted Solution

    ok, I see what is happening in the examples you provide ... one server name redirects to an IP and works correctly the other is redirecting to a machine and it does not work.

    So, is the supposed to work?  Is this the correct name of the server?    Does an NSLOOKUP actually resolve to the IP of that it is supposed to?

    I see in the example you have that the directory name in the reference with the machine name is not the same case ... in IIS this SHOULD not matter but you might want to check this.

    Author Comment

    Got with my Layer 1-2-3 guys...they might have something funny in the ISA proxy they've messed with.
    Another user stated this used to happen with SharePoint when the ISA wasn't correctly configured.

    NSLookup checks clean and the is supposed to it works okay for users in the old domain. is an Alias in DNS for the FQDN

    I'm pretty close now...I'll post back.

    thanks a lot,

    Accepted Solution

    Ahhh...I figured it out.

    The new W2k3 domain has in the GPO for the Default Domain, in IE - checked off by default - Enable Integrated Windows Authentication in the Advanced tab of IE Tools.

    The older W2k domain does not have that.  If you uncheck can use FQDNs on the LAN.

    That's all it was and the consultants were blamming IIS the whole time.

    THanks a lot for your help cj_1969


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Having worked on larger scale sites, we found out that you are bound to look at more scalable solutions to integrating widgets, code snippets or complete applications and mesh them into functional sites, in any given composition. To share some of…
    If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
    The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
    The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now