Integrated Windows Authentication for sitewithsplit.com from local net

site.local (now sitewithsplit.com) worked perfect earlier with SSO when it had a name from a local DNS server.

Now it’s been moved to DMZ (Internet IP), with a new name sitewithsplit.com. But it’s also accessible from the local net with a local IP. From the internal network sitewithsplit.com gets the internal IP. And from Internet it gets the public internet IP. This is from what I understand a spilt-dns configuration.

Should it be possible from the internal net (with an authenticated user) to use the integrated Windows Authentication (SSO)? And from outside not?

From what I’ve read, it should be possible to use the same SSO function (Integrated Windows Authentication) on sitewithsplit.com if it has a local IP. (Authenticated AD user on a Windows 10 computer running in local net).

sitewithsplit.com has been added to Trusted Sites in IE settings and Security Settings, Logon, select 'Automatic logon with current user name and password' is on. Before, it was in Intranet Zone.

Also, Settings > Internet Options.
Click the Advance tab.
Under the Security section enable the option for Enable Integrated Windows Authentication. Is on.

I test this in Internet Explorer and Edge. It should also work in Chrome.

When entering sitewithsplit.com it should automatically log in with an authenticated user with a machine connected to the local net. But I get prompted for username and password. So, my question is:

Is it possible to use Integrated Windows Authentication for sitewithsplit.com from local net. If not, then I think the best option is to manually log in.
greenshootsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
If I'm understanding correctly, you're saying you have a domain-joined machine in your DMZ?  If so, that's a bad setup, and instead I would recommend you set up a reverse proxy or web application firewall in the DMZ which will proxy traffic onto the server which is inside your network.  Internet clients would go through the proxy to get to your server, while internal users would access it directly.

I wouldn't want to allow Windows Integrated Authentication to all sites in Trusted Sites.  That should be reserved for Local Intranet.  I'd be concerned about leaking credentials.

Certain communication has to be allowed between a machine (e.g. your webserver) and AD for Windows Integrated Authentication to work (though I don't recall which specific ports).
greenshootsAuthor Commented:
The domain-joined machine is not in DMZ. It is in site.local. But sitewithsplit.com is a separate Zone in the site.local DNS.
ArneLoviusCommented:
Is the web server joined to the domain ?

If the web server is joined to the domain, how does it communicate with AD from the DMZ ?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

mikecrIT Architect/Technology Delivery ManagerCommented:
Keep in mind that ANY AUTHENTICATION is website related and not based on what IP you're using or where the website is located (dmz).. If you turn on windows integrated authentication it is configured for the whole website whether you access it internally or from the internet. If you want to have more lax authentication for outside the network you need to have a different website configured.

I also do have to agree with Footech above. If  you're going to open a website to the internet, I would highly suggest that you follow his recommendation for a reverse proxy or application firewall to protect your website.
greenshootsAuthor Commented:
Yes
> Is the web server joined to the domain ?

I am not 100% sure, but I guess a port/ip forwaring in the firewall. (Static Internett IP and the local IP)
> If the web server is joined to the domain, how does it communicate with AD from the DMZ ?
greenshootsAuthor Commented:
Do you mean for example integrate with a third party authentfication service or my own service?
>If you want to have more lax authentication for outside the network you need to have a different website configured.

The webserver is behind a firewall. I dont know so much about config at the moment. I am pretty sure there is a softwarefirewall as well.
>I also do have to agree with Footech above. If  you're going to open a website to the internet, I would highly suggest that you follow his >recommendation for a reverse proxy or application firewall to protect your website.

If an unauthenticated user tries to access the site it wont work. Then the manual login comes.

I have a feel that I should deactivate all Windows Authentification for this site...
mikecrIT Architect/Technology Delivery ManagerCommented:
If you need the site to be able to be accessed by people on the internet you can't use Windows Authentication,  you need to use anonymous unless you have people sign up for a username and password. Authentication in windows is site specific. I can have one website anonymous, one using windows authentication, one using basic authentication, etc. and so on. You can't however have one open to the internet and use authentication without providing a way to create a username/password to access it. Make really sure that you don't have any information on that website that you don't want to be made public such as credit card numbers, peoples names and addresses, etc. This will get you into a lot of trouble.

What I would do is if you want some information open to the internet and other information accessible to people internally, then you need to set file level permissions on those files so that an anonymous user from the internet doesn't get access to them. This way if they attempt to access them they will get prompted for a username/password.
ArneLoviusCommented:
I'd suggest checking that the web server actually has access to AD, a simple test would be to create a directory and then try and add permisions for an AD user to the directory, if it is possible to browse AD to add the user, then it obviously has access to AD, and if it is not, then no forms of AD authentication will work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
greenshootsAuthor Commented:
> I'd suggest checking that the web server actually has access to AD, a simple test would be to create a directory and then try and add permisions for an AD user to the directory, if it is possible to browse AD to add the user, then it obviously has access to AD, and if it is not, then no forms of AD authentication will work.

I am not sure how to test that because I have not complete access to that webserver. But it has the possibility to join the domain.
But I have now disabled all WIndows Authentifation features and unjoined the domain and also removed all GPOs related to Windows Authentification for IE, (Chrome) and Firefox. I am prette satified with not using SSO because it seems to be complicated and also to risky to use SSO because of security holes.
greenshootsAuthor Commented:
Thank you for good help. It helped me to decide what to do.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
authenticaion

From novice to tech pro — start learning today.