Integrated Authentication with trusted domain.

Integrated Authentication with trusted domain.

am 12.05.2006 20:44:27 von will.apple

I have a W2K3 Standard server with SP1 called WEBSERVER. It is a member
of DMZ.DOMAIN, DMZ.DOMAIN fully trusts INSIDE.DOMAIN. The website runs
under an app pool that is a member of INSIDE.DOMAIN. If I access
http://site.domain.com from inside my firewall my domain credentials
are forwarded as I would expect. If I access http://site.domain.com
from outside the firewall I get prompted for credentials as expected.
Our external clients will be recieving DMZ.DOMAIN accounts to access
resources in the DMZ. I would like for them to be able to enter just
their username and password instead of DMZ.DOMAIN\username and
password. If I omit the domain the login fails and automatically
prefixes the username with the machine name. Is there anyway that I can
configure this, with out breaking the forwarding of credentials from
inside the firewall?

Thanks.

Re: Integrated Authentication with trusted domain.

am 13.05.2006 05:02:30 von someone

You have to give DMZ.DOMAIN\username because that is how the authentication
protocol works. There is no way for the web server to inject a domain name.
Why? Because if a server can inject a domain name, it is performing a
man-in-the-middle security attack.

You are using a secure authentication protocol like Integrated
Authentication, where the web server just negotiates a bunch of blobs for
authentication -- the web server has no idea what user/domain is being
authenticated. It just knows at the end whether authentication succeeded or
not and gets a user token. This is the most secure way to do things --
protects the privacy/security of both the user and the server.

There are some hacks to give the illusion of having just username work, but
I'm not going to give it because you seem to care about security to
partition things like this.


I suggest setting up UPN so that your users can authenticate with:
username@inside.domain.com
username@dmz.domain.com

Which is an easier way to remember username/domain, especially if it is
linked to an email address.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

wrote in message
news:1147459467.441234.14330@j33g2000cwa.googlegroups.com...
>I have a W2K3 Standard server with SP1 called WEBSERVER. It is a member
> of DMZ.DOMAIN, DMZ.DOMAIN fully trusts INSIDE.DOMAIN. The website runs
> under an app pool that is a member of INSIDE.DOMAIN. If I access
> http://site.domain.com from inside my firewall my domain credentials
> are forwarded as I would expect. If I access http://site.domain.com
> from outside the firewall I get prompted for credentials as expected.
> Our external clients will be recieving DMZ.DOMAIN accounts to access
> resources in the DMZ. I would like for them to be able to enter just
> their username and password instead of DMZ.DOMAIN\username and
> password. If I omit the domain the login fails and automatically
> prefixes the username with the machine name. Is there anyway that I can
> configure this, with out breaking the forwarding of credentials from
> inside the firewall?
>
> Thanks.
>