zdom
asked on
How to accept users from a none trusted domain but still use NTLM
I am using IIS on Windows Server 2003, isapi redirect and Tomcat.
The web server runs in a domain, but users are coming from an other domain.
Not trust relationship is in place. I want to use NTLM, to get the credentials without the user typing them. The tomcat application will be doing the authentication. So I need IIS to pass the credential.
I have trouble to avoid IIS to authenticate the users against the local server. Use the IIS diagnostic tools to debug this. Using WFetch, forcing NTLM with a user/domain/password
that exist on the server IIS let me access the pages. But if I use a user unknown on the server
, then I get an authentication failure.
I have tried to play with the permission, using the group Everyone on the directory, and
enabled the security policy "Let everyone permissions apply to anonymous users".
I have made similar configuration on a Windows XP (within a workgroup) without problem. But on Windows Server I have issues, I am not sure why.
How can I force IIS to accept the credentials as-is without rejecting the user?
Thanks
The web server runs in a domain, but users are coming from an other domain.
Not trust relationship is in place. I want to use NTLM, to get the credentials without the user typing them. The tomcat application will be doing the authentication. So I need IIS to pass the credential.
I have trouble to avoid IIS to authenticate the users against the local server. Use the IIS diagnostic tools to debug this. Using WFetch, forcing NTLM with a user/domain/password
that exist on the server IIS let me access the pages. But if I use a user unknown on the server
, then I get an authentication failure.
I have tried to play with the permission, using the group Everyone on the directory, and
enabled the security policy "Let everyone permissions apply to anonymous users".
I have made similar configuration on a Windows XP (within a workgroup) without problem. But on Windows Server I have issues, I am not sure why.
How can I force IIS to accept the credentials as-is without rejecting the user?
Thanks
Please ensure that Tomcat is running on the same server as IIS. Otherwise you will get a "double-hop" (http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx) error where the security tokens will NOT be forwarded to Tomcat which would explain your authentication error.
You can avoid this by running Tomcat and IIS on the same server or by using Kerberos instead of NTLM.
You can avoid this by running Tomcat and IIS on the same server or by using Kerberos instead of NTLM.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have IIS and Tomcat on the same system, so I don't have the double hop issue.
As the users are coming from a trusted source, what I really need for now is the username. And yes, have selected the "Windows Integrated Authentication". So I think you understood very well my issue.
I agree with cj_1969's suggestion, this is probably my problem. Now my question is that I am not sure how to do it.
I log on the box using a user with admin rights, I granted Read & Execute on the directory to the group everyone. You said: "you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user)", I think I did that:
I added 'Everyone' in th the Local Security Settings, User Rights Assignment, Access This computer from the network, should I do something else?
As the users are coming from a trusted source, what I really need for now is the username. And yes, have selected the "Windows Integrated Authentication". So I think you understood very well my issue.
I agree with cj_1969's suggestion, this is probably my problem. Now my question is that I am not sure how to do it.
I log on the box using a user with admin rights, I granted Read & Execute on the directory to the group everyone. You said: "you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user)", I think I did that:
I added 'Everyone' in th the Local Security Settings, User Rights Assignment, Access This computer from the network, should I do something else?
You probably still need to enable Windows Integrated Authentication with BASIC authentication in IIS on this directory/web app also.
ASKER
I made several tets, maybe that will help figure out this problem.
My current set-up is WIA and Basic are selected.
I use WFetch to sent a request with NTLM auth.
When only WIA and Basic are selected, then I get an error in the IIS logs:
/jakarta/isapi_redirector2 .dll - 80 - 401 2
If I also select anonymous access, and use wftech with NTLM to access the site:
- Case 1: using a valid user on the system, I get access, and in IIS's log I see the username
- Case 2: using an invalid user name (coming from an other domain), I get access, in IIS's log I see 'Guest' as the user name.
- Case 3: using internet explorer, I have access, but no username show up in the log
So I assuming that by default IE is not sending the credentials unless in this case,
I config the browser to send login/password and added the web site to the trusted list.
Do you understand why usernames are converted to Guest?
and why I don't see a user name when I use IE?
My current set-up is WIA and Basic are selected.
I use WFetch to sent a request with NTLM auth.
When only WIA and Basic are selected, then I get an error in the IIS logs:
/jakarta/isapi_redirector2
If I also select anonymous access, and use wftech with NTLM to access the site:
- Case 1: using a valid user on the system, I get access, and in IIS's log I see the username
- Case 2: using an invalid user name (coming from an other domain), I get access, in IIS's log I see 'Guest' as the user name.
- Case 3: using internet explorer, I have access, but no username show up in the log
So I assuming that by default IE is not sending the credentials unless in this case,
I config the browser to send login/password and added the web site to the trusted list.
Do you understand why usernames are converted to Guest?
and why I don't see a user name when I use IE?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You bring up a good point. I should do the "impersonate" config.
When I remove both basic and anonymous, I get error 401.2
/jakarta/isapi_redirector2 .dll - 80 - 401 2 64
When I remove both basic and anonymous, I get error 401.2
/jakarta/isapi_redirector2
I just looked through one of my own IIS log files:
#Fields: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip sc-status sc-substatus
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 2
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 1
2009-05-19 22:51:30 GET /LRRS/jScript.js - <my user ID> <my ip address> 200 0
IE had to make three requests until it finally got the correct HTTP 200 response.
Do you get a HTTP 200 response after your 401.2?
#Fields: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip sc-status sc-substatus
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 2
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 1
2009-05-19 22:51:30 GET /LRRS/jScript.js - <my user ID> <my ip address> 200 0
IE had to make three requests until it finally got the correct HTTP 200 response.
Do you get a HTTP 200 response after your 401.2?
ASKER
I found out that the network has a component that blocks NTLM, it probably disconnet between the requests. If I route the traffic directly to the bos it works has you indicated. Except I need to impersonate, but that's fine. Thanks guys !
ASKER
Great support, detailed explanations. They tried to understand the issue and cam up with great information.
Any other method would use MS encryption and you would not be able to get the pw. Even if you get the ID, unless you are just verifying that, you would not be able to "authenticate" them.