Solved

How to accept users from a none trusted domain but still use NTLM

Posted on 2009-05-18
11
367 Views
Last Modified: 2013-12-04
I am using IIS on Windows Server 2003, isapi redirect and Tomcat.

The web server runs in a domain, but users are coming from an other domain.
Not trust relationship is in place. I want to use NTLM, to get the credentials without the user typing them. The tomcat application will be doing the authentication. So I need IIS to pass the credential.

I have trouble to avoid IIS to authenticate the users against the local server. Use the IIS diagnostic tools to debug this. Using WFetch, forcing NTLM with a user/domain/password
that exist on the server IIS let me access the pages. But if I use a user unknown on the server
, then I get an authentication failure.

I have tried to play with the permission, using the group Everyone on the directory, and
enabled the security policy "Let everyone permissions apply to anonymous users".

I have made similar configuration on a Windows XP (within a workgroup) without problem. But on Windows Server I have issues, I am not sure why.

How can I force IIS to accept the credentials as-is without rejecting the user?

Thanks

0
Comment
Question by:zdom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 22

Expert Comment

by:cj_1969
ID: 24423754
If the users are coming from another domain then the only way to get this to work, the way you want it to, is to enable BASIC authentication on the site and have the browser pass the credentials in clear text.  As this is a security risk, the acceptable way to mitigate this is to require SSL for this connection to the web server.

Any other method would use MS encryption and you would not be able to get the pw.  Even if you get the ID, unless you are just verifying that, you would not be able to "authenticate" them.
0
 
LVL 1

Expert Comment

by:esambo
ID: 24424152
Please ensure that Tomcat is running on the same server as IIS. Otherwise you will get a "double-hop" (http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx) error where the security tokens will NOT be forwarded to Tomcat which would explain your authentication error.
You can avoid this by running Tomcat and IIS on the same server or by using Kerberos instead of NTLM.
0
 
LVL 22

Accepted Solution

by:
cj_1969 earned 250 total points
ID: 24424292
I think I might have missed the gist of the question when I responded the first time ...
Since this server is a member of the domain, as long as it is not a domain controller, then you need to get that out of your head.  I presume you have WIA (Windows integrated authentication) enabled for the directory in question (otherwise you would never grab the user credentials).  Next, you need to grant the NTFS permissions on the directory structure to allow ALL users.  To do this, I believe you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user) access to the direectory ... you might need to grant the guest account access to it.  You will also want to remove the anonymous access from the directory so that it will force IIS to make the users send credentials.
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 

Author Comment

by:zdom
ID: 24425276
I have IIS and Tomcat on the same system, so I don't have the double hop issue.
As the users are coming from a trusted source, what I really need for now is the username. And yes,  have selected the "Windows Integrated Authentication". So I think you understood very well my issue.

I agree with cj_1969's suggestion, this is probably my problem. Now my question is that I am not sure how to do it.

I log on the box using a user with admin rights, I granted Read & Execute on the directory to the group everyone. You said: "you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user)", I think I did that:
I added 'Everyone' in th the Local Security Settings, User Rights Assignment, Access This computer from the network, should I do something else?
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 24425363
You probably still need to enable Windows Integrated Authentication with BASIC authentication in IIS on this directory/web app also.
0
 

Author Comment

by:zdom
ID: 24426807
I made several tets, maybe that will help figure out this problem.
My current set-up is WIA and Basic are selected.
I use WFetch to sent a request with NTLM auth.

When only WIA and Basic are selected, then I get an error in the IIS logs:
/jakarta/isapi_redirector2.dll - 80 - 401 2

If I also select anonymous access, and use wftech with NTLM to access the site:
- Case 1: using a valid user on the system, I get access, and in IIS's log I see the username
- Case 2: using an invalid user name (coming from an other domain), I get access, in IIS's log I see 'Guest' as the user name.
- Case 3: using internet explorer, I have access, but no username show up in the log

So I assuming that by default IE is not sending the credentials unless in this case,
I config the browser to send login/password  and added the web site to the trusted list.

Do you understand why usernames are converted to Guest?
and why I don't see a user name when I use IE?

0
 
LVL 1

Assisted Solution

by:esambo
esambo earned 250 total points
ID: 24426942
You have to turn off anonymous access. I would also turn off Basic Authentication and only leave Windows Integrated Authentication on.
Accessing a web site configured like that with IE should show a HTTP Status code of 401 (http://en.wikipedia.org/wiki/List_of_HTTP_status_codes) which is the browsers first attempt to connect as anonymous. The HTTP 401 response tells the browser that authentication is necessary for that site. IE will now make a second request to the web server and provide a security token of the currently logged in Windows user.
I also configure my web.config of my ASP.NET web sites to "impersonate" the user which will run the web server request as that user instead of the user with which IIS is configured.
0
 

Author Comment

by:zdom
ID: 24427300
You bring up a good point. I should do the "impersonate" config.
When I remove both basic and anonymous, I get error 401.2
/jakarta/isapi_redirector2.dll - 80 -  401 2 64

0
 
LVL 1

Expert Comment

by:esambo
ID: 24427385
I just looked through one of my own IIS log files:

#Fields: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip sc-status sc-substatus
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 2
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 1
2009-05-19 22:51:30 GET /LRRS/jScript.js - <my user ID> <my ip address> 200 0

IE had to make three requests until it finally got the correct HTTP 200 response.

Do you get a HTTP 200 response after your 401.2?
0
 

Author Comment

by:zdom
ID: 24427636
I found out that the network has a component that blocks NTLM, it probably disconnet between the requests. If I route the traffic directly to the bos it works has you indicated. Except I need to impersonate, but that's fine. Thanks guys !
0
 

Author Closing Comment

by:zdom
ID: 31582864
Great support, detailed explanations. They tried to understand the issue and cam up with great information.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internal to DMZ IIS Authentication. 3 65
SHA2 certs for IIS AND Java? 2 122
IIS FTP Logging 10 54
Windows 2008 set profile 9 49
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question