Link to home
Start Free TrialLog in
Avatar of zdom
zdom

asked on

How to accept users from a none trusted domain but still use NTLM

I am using IIS on Windows Server 2003, isapi redirect and Tomcat.

The web server runs in a domain, but users are coming from an other domain.
Not trust relationship is in place. I want to use NTLM, to get the credentials without the user typing them. The tomcat application will be doing the authentication. So I need IIS to pass the credential.

I have trouble to avoid IIS to authenticate the users against the local server. Use the IIS diagnostic tools to debug this. Using WFetch, forcing NTLM with a user/domain/password
that exist on the server IIS let me access the pages. But if I use a user unknown on the server
, then I get an authentication failure.

I have tried to play with the permission, using the group Everyone on the directory, and
enabled the security policy "Let everyone permissions apply to anonymous users".

I have made similar configuration on a Windows XP (within a workgroup) without problem. But on Windows Server I have issues, I am not sure why.

How can I force IIS to accept the credentials as-is without rejecting the user?

Thanks

Avatar of cj_1969
cj_1969
Flag of United States of America image

If the users are coming from another domain then the only way to get this to work, the way you want it to, is to enable BASIC authentication on the site and have the browser pass the credentials in clear text.  As this is a security risk, the acceptable way to mitigate this is to require SSL for this connection to the web server.

Any other method would use MS encryption and you would not be able to get the pw.  Even if you get the ID, unless you are just verifying that, you would not be able to "authenticate" them.
Please ensure that Tomcat is running on the same server as IIS. Otherwise you will get a "double-hop" (http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx) error where the security tokens will NOT be forwarded to Tomcat which would explain your authentication error.
You can avoid this by running Tomcat and IIS on the same server or by using Kerberos instead of NTLM.
ASKER CERTIFIED SOLUTION
Avatar of cj_1969
cj_1969
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zdom
zdom

ASKER

I have IIS and Tomcat on the same system, so I don't have the double hop issue.
As the users are coming from a trusted source, what I really need for now is the username. And yes,  have selected the "Windows Integrated Authentication". So I think you understood very well my issue.

I agree with cj_1969's suggestion, this is probably my problem. Now my question is that I am not sure how to do it.

I log on the box using a user with admin rights, I granted Read & Execute on the directory to the group everyone. You said: "you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user)", I think I did that:
I added 'Everyone' in th the Local Security Settings, User Rights Assignment, Access This computer from the network, should I do something else?
You probably still need to enable Windows Integrated Authentication with BASIC authentication in IIS on this directory/web app also.
Avatar of zdom

ASKER

I made several tets, maybe that will help figure out this problem.
My current set-up is WIA and Basic are selected.
I use WFetch to sent a request with NTLM auth.

When only WIA and Basic are selected, then I get an error in the IIS logs:
/jakarta/isapi_redirector2.dll - 80 - 401 2

If I also select anonymous access, and use wftech with NTLM to access the site:
- Case 1: using a valid user on the system, I get access, and in IIS's log I see the username
- Case 2: using an invalid user name (coming from an other domain), I get access, in IIS's log I see 'Guest' as the user name.
- Case 3: using internet explorer, I have access, but no username show up in the log

So I assuming that by default IE is not sending the credentials unless in this case,
I config the browser to send login/password  and added the web site to the trusted list.

Do you understand why usernames are converted to Guest?
and why I don't see a user name when I use IE?

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zdom

ASKER

You bring up a good point. I should do the "impersonate" config.
When I remove both basic and anonymous, I get error 401.2
/jakarta/isapi_redirector2.dll - 80 -  401 2 64

I just looked through one of my own IIS log files:

#Fields: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip sc-status sc-substatus
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 2
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 1
2009-05-19 22:51:30 GET /LRRS/jScript.js - <my user ID> <my ip address> 200 0

IE had to make three requests until it finally got the correct HTTP 200 response.

Do you get a HTTP 200 response after your 401.2?
Avatar of zdom

ASKER

I found out that the network has a component that blocks NTLM, it probably disconnet between the requests. If I route the traffic directly to the bos it works has you indicated. Except I need to impersonate, but that's fine. Thanks guys !
Avatar of zdom

ASKER

Great support, detailed explanations. They tried to understand the issue and cam up with great information.