 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / IIS / IIS Security / October 2008IIS6 auth. problem
Hi I have following system settings: 2x Windows server 2003 cluster + SP1 also DC IIS6 service running on the cluster IIS auth mode: integrated windows authentication Clusterresource: data5 Now I have following problem: If I connect via http://data5/index.html everything is working fine. If I use the FQDN or the ip- address of data5 (http://data5.domain.local/index.html) I get a login prompt. I already change the “NTAuthenticationProviders” to "NTLM". (KB 871179) But the problem was not fixed. I hope somebody can help me. Best regards Stefan PS: Sorry for my bad English Stefan wrote on Tue, 07 Oct 2008 09:15:21 +0200: > Hi > I have following system settings: > 2x Windows server 2003 cluster + SP1 also DC > IIS6 service running on the cluster > IIS auth mode: integrated windows authentication > Clusterresource: data5 > Now I have following problem: > If I connect via http://data5/index.html everything is working fine. [quoted text clipped - 3 lines] > But the problem was not fixed. > I hope somebody can help me. > Best regards > Stefan If you login in from that dialog, does it work? It sounds like you're seeing the IE security settings at work - if there is a . in the hostname then IE treats the request as being in the "Internet Zone" and so won't attempt to log in automatically even over NTLM. With no . (ie data5) the site is treated as being in the "Intranet Zone" so it does attempt to auto login. If you add data5.domain.local to the "Trusted Sites" in IE it should autologin - however you will need to push this setting out to all your users (if you use Group Policy that shouldn't be too hard, but if you have any machines connecting you don't have control over you'll have to ask those users to add your server hostname to the Trusted Sites list in IE).  SignatureDan On Oct 7, 12:15 am, Stefan Mitterbuchner <dr_mitch*NO-SP...@web.de> wrote: > Hi > [quoted text clipped - 16 lines] > > PS: Sorry for my bad English This is by-design. By default, IE does not perform auto-login for URLs with FQDN or IP addresses because they are considered in the "Internet Zone". Meanwhile, just "data5" is considered "Intranet Zone", which has auto- login. To "get around this", you will have to configure the browsers to trust the FQDN, either by making people add the FQDN to their Trusted Sites list, or change Internet Zone to auto login. However, be aware that both are undesirable from a security perspective because: - you don't want to auto-login for the Internet Zone (that would be a security hazard -- a hacker site can use Basic Auth + Auto-Login to steal your username/password) - it is a hassle to get users to add FQDN into the Trusted Sites list, and you don't want users accustomed to adding random FQDN into their Trusted Sites list just to "make things work". In general, if you are trying to login from the Internet, you should provide credentials. If your users are inside the domain and Intranet, then they should use the Internal name and not FQDN. In other words, the default settings are for your safety, and when you alter them for convenience, you are explicitly responsible for the security of your own choices. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // David Wang fragte : > On Oct 7, 12:15 am, Stefan Mitterbuchner <dr_mitch*NO-SP...@web.de> > wrote: [quoted text clipped - 51 lines] > http://blogs.msdn.com/David.Wang > // Thank you for your answer. I think i will add the server to the trusted sites |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.