Solved

How to accept users from a none trusted domain but still use NTLM

Posted on 2009-05-18
11
361 Views
Last Modified: 2013-12-04
I am using IIS on Windows Server 2003, isapi redirect and Tomcat.

The web server runs in a domain, but users are coming from an other domain.
Not trust relationship is in place. I want to use NTLM, to get the credentials without the user typing them. The tomcat application will be doing the authentication. So I need IIS to pass the credential.

I have trouble to avoid IIS to authenticate the users against the local server. Use the IIS diagnostic tools to debug this. Using WFetch, forcing NTLM with a user/domain/password
that exist on the server IIS let me access the pages. But if I use a user unknown on the server
, then I get an authentication failure.

I have tried to play with the permission, using the group Everyone on the directory, and
enabled the security policy "Let everyone permissions apply to anonymous users".

I have made similar configuration on a Windows XP (within a workgroup) without problem. But on Windows Server I have issues, I am not sure why.

How can I force IIS to accept the credentials as-is without rejecting the user?

Thanks

0
Comment
Question by:zdom
  • 5
  • 3
  • 3
11 Comments
 
LVL 22

Expert Comment

by:cj_1969
ID: 24423754
If the users are coming from another domain then the only way to get this to work, the way you want it to, is to enable BASIC authentication on the site and have the browser pass the credentials in clear text.  As this is a security risk, the acceptable way to mitigate this is to require SSL for this connection to the web server.

Any other method would use MS encryption and you would not be able to get the pw.  Even if you get the ID, unless you are just verifying that, you would not be able to "authenticate" them.
0
 
LVL 1

Expert Comment

by:esambo
ID: 24424152
Please ensure that Tomcat is running on the same server as IIS. Otherwise you will get a "double-hop" (http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx) error where the security tokens will NOT be forwarded to Tomcat which would explain your authentication error.
You can avoid this by running Tomcat and IIS on the same server or by using Kerberos instead of NTLM.
0
 
LVL 22

Accepted Solution

by:
cj_1969 earned 250 total points
ID: 24424292
I think I might have missed the gist of the question when I responded the first time ...
Since this server is a member of the domain, as long as it is not a domain controller, then you need to get that out of your head.  I presume you have WIA (Windows integrated authentication) enabled for the directory in question (otherwise you would never grab the user credentials).  Next, you need to grant the NTFS permissions on the directory structure to allow ALL users.  To do this, I believe you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user) access to the direectory ... you might need to grant the guest account access to it.  You will also want to remove the anonymous access from the directory so that it will force IIS to make the users send credentials.
0
 

Author Comment

by:zdom
ID: 24425276
I have IIS and Tomcat on the same system, so I don't have the double hop issue.
As the users are coming from a trusted source, what I really need for now is the username. And yes,  have selected the "Windows Integrated Authentication". So I think you understood very well my issue.

I agree with cj_1969's suggestion, this is probably my problem. Now my question is that I am not sure how to do it.

I log on the box using a user with admin rights, I granted Read & Execute on the directory to the group everyone. You said: "you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user)", I think I did that:
I added 'Everyone' in th the Local Security Settings, User Rights Assignment, Access This computer from the network, should I do something else?
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 24425363
You probably still need to enable Windows Integrated Authentication with BASIC authentication in IIS on this directory/web app also.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:zdom
ID: 24426807
I made several tets, maybe that will help figure out this problem.
My current set-up is WIA and Basic are selected.
I use WFetch to sent a request with NTLM auth.

When only WIA and Basic are selected, then I get an error in the IIS logs:
/jakarta/isapi_redirector2.dll - 80 - 401 2

If I also select anonymous access, and use wftech with NTLM to access the site:
- Case 1: using a valid user on the system, I get access, and in IIS's log I see the username
- Case 2: using an invalid user name (coming from an other domain), I get access, in IIS's log I see 'Guest' as the user name.
- Case 3: using internet explorer, I have access, but no username show up in the log

So I assuming that by default IE is not sending the credentials unless in this case,
I config the browser to send login/password  and added the web site to the trusted list.

Do you understand why usernames are converted to Guest?
and why I don't see a user name when I use IE?

0
 
LVL 1

Assisted Solution

by:esambo
esambo earned 250 total points
ID: 24426942
You have to turn off anonymous access. I would also turn off Basic Authentication and only leave Windows Integrated Authentication on.
Accessing a web site configured like that with IE should show a HTTP Status code of 401 (http://en.wikipedia.org/wiki/List_of_HTTP_status_codes) which is the browsers first attempt to connect as anonymous. The HTTP 401 response tells the browser that authentication is necessary for that site. IE will now make a second request to the web server and provide a security token of the currently logged in Windows user.
I also configure my web.config of my ASP.NET web sites to "impersonate" the user which will run the web server request as that user instead of the user with which IIS is configured.
0
 

Author Comment

by:zdom
ID: 24427300
You bring up a good point. I should do the "impersonate" config.
When I remove both basic and anonymous, I get error 401.2
/jakarta/isapi_redirector2.dll - 80 -  401 2 64

0
 
LVL 1

Expert Comment

by:esambo
ID: 24427385
I just looked through one of my own IIS log files:

#Fields: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip sc-status sc-substatus
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 2
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 1
2009-05-19 22:51:30 GET /LRRS/jScript.js - <my user ID> <my ip address> 200 0

IE had to make three requests until it finally got the correct HTTP 200 response.

Do you get a HTTP 200 response after your 401.2?
0
 

Author Comment

by:zdom
ID: 24427636
I found out that the network has a component that blocks NTLM, it probably disconnet between the requests. If I route the traffic directly to the bos it works has you indicated. Except I need to impersonate, but that's fine. Thanks guys !
0
 

Author Closing Comment

by:zdom
ID: 31582864
Great support, detailed explanations. They tried to understand the issue and cam up with great information.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Learn about cloud computing and its benefits for small business owners.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now