IIS 7.5 pass through credentials (automatic login) website

Hi,

I am looking to have users NOT be prompted for a username or password if they are locally within the office (on the domain) and allow it to log the user in automatically by pulling this info. However if the user is on a public facing computer for it prompt the user for the credentials?

I have attempted to use Windows Authentication but this will always prompt the user credentials each time.

Any ideas?

Regards,

introlux
introluxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy LidbetterCommented:
Have you setup the website to use NTLM or Basic Authentication?

In IIS, go to the site and open Authentication. Remove everything except Windows Authentication.
Right Click "Windows Authentication" and open up Providers. Make sure NTLM is the only provider.

Give that a go and let us know how you get on...
0
introluxAuthor Commented:
Using Windows Authentication with NTLM as the only provider and this is what is displayed when trying to access the page:

Server Error
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.

This is false as the user I am logged in has access and can login using a public facing machine to gain access to it.

Any ideas?
0
Guy LidbetterCommented:
Do Authenticated users have read access to the virtual directory?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

introluxAuthor Commented:
1 - Its not a virtual directory and is a physical folder
2 - I have just given Domain Users read only access and still no joy

Any more ideas?
0
introluxAuthor Commented:
There is a web config file within this directory:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" users="domain\test" />
                <add accessType="Allow" roles="domain\domain users" />
                <add accessType="Allow" roles="domain.com\domain users" />
            </authorization>
            <authentication>
                <windowsAuthentication enabled="true" />
                <anonymousAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</configuration>

Open in new window

0
Guy LidbetterCommented:
Are you trying from an external source at the moment or internal?

If anonymous authentication is disabled and you are trying login with only NTLM it will reject you... It should only work internally then.
0
introluxAuthor Commented:
I am trying to access via Internal and being rejected at the moment. Externally I get prompted for a username and password which is the norm.

What do you suggest doing, to not get users internally get prompted?
0
Guy LidbetterCommented:
NTLM pulls your local security token for authentication, so should pass your credentials across without prompting when going to the site internally.
This is now happening but you are being denied access as shown with the 40, so I believe it is a website permission issue.

Enable Basic Authentication as well and see what happens.
0
introluxAuthor Commented:
I get prompted for the username and password which is how it should behave externally and not internally.
0
Guy LidbetterCommented:
0
introluxAuthor Commented:
The URL is in as follows;

www.domain.com

But the page that is being accessed is www.domain.com/team

Will you need to add www.domain.com/team to the intranet zone?

Also the odd behaviour is, when clicking a link from www.domain.com it does not work (401 error) but when accessing the www.domain.com/team directly from the browser it works.

Any idea?
0
Guy LidbetterCommented:
It would seem that the "www.domain.com/team" virtual directory has the required authentication rights, and the file path it points to has the required NTFS permissions set.

I'm assuming that "www.domain.com" is the default website in IIS? If it is and you have kept all the defaults, check that Domain Users have read access to "c:\inetpub\wwwroot" - If you have changed the Default site directory, check that instead.

Or - if you do not use the root domain name "www.domain.com" - setup a forwarder to "www.domain.com/Team"
0
introluxAuthor Commented:
"www.domain.com" is the default website in IIS. Domain users has read access to "c:\inetpub\wwwroot"

I cannot setup a forwarder as the main domain name "www.domain.com" is used, which is also available to the public.
0
Guy LidbetterCommented:
And you still receive a 401 when clicking the "www.domain.com" link?

So to be clear...
1. Clicking "www.domain.com" - 401 error
2. Clicking "www.domain.com/team" - ??
3. Typing "www.domain.com/team" - works
4. Externally credentials are required - expected - but does it work when credentials entered??

By the way... Definitely add the domain to the intranet zone
0
introluxAuthor Commented:
1. Clicking "www.domain.com" - 401 error (Web page load fine, no 401)
 2. Clicking "www.domain.com/team" - ?? (When clicking from www.domain.com to www.domain.com/team, I get a 401)
 3. Typing "www.domain.com/team" - works (CORRECT)
 4. Externally credentials are required - expected - but does it work when credentials entered?? (Yes it works)
0
Guy LidbetterCommented:
Sorry... a bit confused now with the bold statement...

2. Clicking "www.domain.com/team" - ?? (When clicking from www.domain.com to www.domain.com/team, I get a 401)
I am assuming from this that there is a hyperlink on the www.domain.com page that sends you to /Team and this is the bit that is causing the issue?

Everything else works as required.
0
introluxAuthor Commented:
Yes that is correct, its a hyperlink on www.domain.com that takes you to the team page. That's giving a 401 error
0
introluxAuthor Commented:
Any other suggestions on this?
0
introluxAuthor Commented:
The issue was resolved by changing the internal DNS was pointing to the internal IP address and not to the public address.

After changing this, it worked! :-D
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Guy LidbetterCommented:
So accessing the page externally works?

OK then... internal people will access it externally!

But glad you got it working!
0
introluxAuthor Commented:
Changed Internal DNS
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.