A little help (kerberos, netbios, and SPN... oh my!)

I have a custom intranet that I have setup for our company. The access is
secured using IWA and when the site is access by server name (QSERVER\internal)
the domain user's credentials are passed automatically and everything is
fine. This is good because we don't want internal users (people part of
our domain) to have to enter a user/pass.

However, one of the integrated ASP apps won't let us use an internal name
because this intranet needs to be more of an extranet, so we have to use
the FQDN. Our domains aren't the same (.local for the QSERVER and a .com
for the FQDN). I've run "setspn -a host/www.oursite.com QSERVER" which I
thought would allow requests from this host header to be passed with IWA,
but it doesn't work.

Our goal is to have ALL of our users, whether they are inside the office
or outside, to use the same website address: http://www.oursite.com/internal
but the internal users not have to enter a password, and all external users
MUST enter one. Any suggestions?

Server 2003
IIS6
web server is a DC

Thanks!

C

Re: A little help (kerberos, netbios, and SPN... oh my!)

set the site to windows integrated authentication, this will allow the local
users credentials to pass to the site. the outside users credentials will
not pass thru, because they are not logged into the domain and are outside
the firewall, assuming you are behind one. this will result in a login
prompt, the only problem is they must supply the domain, username and
password, unlike basic authentication, where you can supply the domain for
them. also remember, if you are not using ssl, these credentials, from the
outside, will be passed in clear text.


"Craig Carrigan" wrote in message
news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>I have a custom intranet that I have setup for our company. The access is
>secured using IWA and when the site is access by server name
>(QSERVER\internal) the domain user's credentials are passed automatically
>and everything is fine. This is good because we don't want internal users
>(people part of our domain) to have to enter a user/pass.
>
> However, one of the integrated ASP apps won't let us use an internal name
> because this intranet needs to be more of an extranet, so we have to use
> the FQDN. Our domains aren't the same (.local for the QSERVER and a .com
> for the FQDN). I've run "setspn -a host/www.oursite.com QSERVER" which I
> thought would allow requests from this host header to be passed with IWA,
> but it doesn't work.
>
> Our goal is to have ALL of our users, whether they are inside the office
> or outside, to use the same website address:
> http://www.oursite.com/internal but the internal users not have to enter a
> password, and all external users MUST enter one. Any suggestions?
>
> Server 2003
> IIS6
> web server is a DC
>
> Thanks!
>
> C
>
>

Re: A little help (kerberos, netbios, and SPN... oh my!)

Hello Consultant,

I'm sorry I wasn't more clear. When I referenced IWA, I was saying that
the site IS using integrated windows auth. However, from outside using a
non NETBIOS name (FQDN) the password isn't accepted. Thanks for your help!

Craig

> set the site to windows integrated authentication, this will allow the
> local users credentials to pass to the site. the outside users
> credentials will not pass thru, because they are not logged into the
> domain and are outside the firewall, assuming you are behind one. this
> will result in a login prompt, the only problem is they must supply
> the domain, username and password, unlike basic authentication, where
> you can supply the domain for them. also remember, if you are not
> using ssl, these credentials, from the outside, will be passed in
> clear text.
>
> "Craig Carrigan" wrote in message
> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>
>> I have a custom intranet that I have setup for our company. The
>> access is secured using IWA and when the site is access by server
>> name (QSERVER\internal) the domain user's credentials are passed
>> automatically and everything is fine. This is good because we don't
>> want internal users (people part of our domain) to have to enter a
>> user/pass.
>>
>> However, one of the integrated ASP apps won't let us use an internal
>> name because this intranet needs to be more of an extranet, so we
>> have to use the FQDN. Our domains aren't the same (.local for the
>> QSERVER and a .com for the FQDN). I've run "setspn -a
>> host/www.oursite.com QSERVER" which I thought would allow requests
>> from this host header to be passed with IWA, but it doesn't work.
>>
>> Our goal is to have ALL of our users, whether they are inside the
>> office or outside, to use the same website address:
>> http://www.oursite.com/internal but the internal users not have to
>> enter a password, and all external users MUST enter one. Any
>> suggestions?
>>
>> Server 2003
>> IIS6
>> web server is a DC
>> Thanks!
>>
>> C
>>

Re: A little help (kerberos, netbios, and SPN... oh my!)

I take that back, that isn't exact. When www.site.com is used with IWA enabled,
instead of the netbios name, I am prompted for a U/P. When the netbios name
is used there is no U/P prompted. (this is all on the internal network)
I need to be able to use the public site name on the internal network and
not get prompted for a password. Externally since there is no connection
for kerberos, I'm sure it will fail over to NTLM and ask for a U/P. But
why does the netbios name work and authenticate but the full website name
does not?

> Hello Consultant,
>
> I'm sorry I wasn't more clear. When I referenced IWA, I was saying
> that the site IS using integrated windows auth. However, from outside
> using a non NETBIOS name (FQDN) the password isn't accepted. Thanks
> for your help!
>
> Craig
>
>> set the site to windows integrated authentication, this will allow
>> the local users credentials to pass to the site. the outside users
>> credentials will not pass thru, because they are not logged into the
>> domain and are outside the firewall, assuming you are behind one.
>> this will result in a login prompt, the only problem is they must
>> supply the domain, username and password, unlike basic
>> authentication, where you can supply the domain for them. also
>> remember, if you are not using ssl, these credentials, from the
>> outside, will be passed in clear text.
>>
>> "Craig Carrigan" wrote in message
>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>
>>> I have a custom intranet that I have setup for our company. The
>>> access is secured using IWA and when the site is access by server
>>> name (QSERVER\internal) the domain user's credentials are passed
>>> automatically and everything is fine. This is good because we don't
>>> want internal users (people part of our domain) to have to enter a
>>> user/pass.
>>>
>>> However, one of the integrated ASP apps won't let us use an internal
>>> name because this intranet needs to be more of an extranet, so we
>>> have to use the FQDN. Our domains aren't the same (.local for the
>>> QSERVER and a .com for the FQDN). I've run "setspn -a
>>> host/www.oursite.com QSERVER" which I thought would allow requests
>>> from this host header to be passed with IWA, but it doesn't work.
>>>
>>> Our goal is to have ALL of our users, whether they are inside the
>>> office or outside, to use the same website address:
>>> http://www.oursite.com/internal but the internal users not have to
>>> enter a password, and all external users MUST enter one. Any
>>> suggestions?
>>>
>>> Server 2003
>>> IIS6
>>> web server is a DC
>>> Thanks!
>>> C
>>>

Re: A little help (kerberos, netbios, and SPN... oh my!)

well, internet explorer see's the fqdn as a non trusted internet site and
won't pass the credentials. try adding the fqdn as a trusted site, this
should allow the credentials to be passed.


"Craig Carrigan" wrote in message
news:46a1ae925f5b8c868463e11f41d@news.giganews.com...
>I take that back, that isn't exact. When www.site.com is used with IWA
>enabled, instead of the netbios name, I am prompted for a U/P. When the
>netbios name is used there is no U/P prompted. (this is all on the
>internal network) I need to be able to use the public site name on the
>internal network and not get prompted for a password. Externally since
>there is no connection for kerberos, I'm sure it will fail over to NTLM and
>ask for a U/P. But why does the netbios name work and authenticate but the
>full website name does not?
>
>> Hello Consultant,
>>
>> I'm sorry I wasn't more clear. When I referenced IWA, I was saying
>> that the site IS using integrated windows auth. However, from outside
>> using a non NETBIOS name (FQDN) the password isn't accepted. Thanks
>> for your help!
>>
>> Craig
>>
>>> set the site to windows integrated authentication, this will allow
>>> the local users credentials to pass to the site. the outside users
>>> credentials will not pass thru, because they are not logged into the
>>> domain and are outside the firewall, assuming you are behind one.
>>> this will result in a login prompt, the only problem is they must
>>> supply the domain, username and password, unlike basic
>>> authentication, where you can supply the domain for them. also
>>> remember, if you are not using ssl, these credentials, from the
>>> outside, will be passed in clear text.
>>>
>>> "Craig Carrigan" wrote in message
>>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>>
>>>> I have a custom intranet that I have setup for our company. The
>>>> access is secured using IWA and when the site is access by server
>>>> name (QSERVER\internal) the domain user's credentials are passed
>>>> automatically and everything is fine. This is good because we don't
>>>> want internal users (people part of our domain) to have to enter a
>>>> user/pass.
>>>>
>>>> However, one of the integrated ASP apps won't let us use an internal
>>>> name because this intranet needs to be more of an extranet, so we
>>>> have to use the FQDN. Our domains aren't the same (.local for the
>>>> QSERVER and a .com for the FQDN). I've run "setspn -a
>>>> host/www.oursite.com QSERVER" which I thought would allow requests
>>>> from this host header to be passed with IWA, but it doesn't work.
>>>>
>>>> Our goal is to have ALL of our users, whether they are inside the
>>>> office or outside, to use the same website address:
>>>> http://www.oursite.com/internal but the internal users not have to
>>>> enter a password, and all external users MUST enter one. Any
>>>> suggestions?
>>>>
>>>> Server 2003
>>>> IIS6
>>>> web server is a DC
>>>> Thanks!
>>>> C
>>>>
>
>

Re: A little help (kerberos, netbios, and SPN... oh my!)

Hello Consultant,

I added the site to IE's trusted list and tried the portion that has IWA
enabled and it still asks for a U/P. Any other hints or tips?

> well, internet explorer see's the fqdn as a non trusted internet site
> and won't pass the credentials. try adding the fqdn as a trusted site,
> this should allow the credentials to be passed.
>
> "Craig Carrigan" wrote in message
> news:46a1ae925f5b8c868463e11f41d@news.giganews.com...
>
>> I take that back, that isn't exact. When www.site.com is used with
>> IWA enabled, instead of the netbios name, I am prompted for a U/P.
>> When the netbios name is used there is no U/P prompted. (this is all
>> on the internal network) I need to be able to use the public site
>> name on the internal network and not get prompted for a password.
>> Externally since there is no connection for kerberos, I'm sure it
>> will fail over to NTLM and ask for a U/P. But why does the netbios
>> name work and authenticate but the full website name does not?
>>
>>> Hello Consultant,
>>>
>>> I'm sorry I wasn't more clear. When I referenced IWA, I was saying
>>> that the site IS using integrated windows auth. However, from
>>> outside using a non NETBIOS name (FQDN) the password isn't accepted.
>>> Thanks for your help!
>>>
>>> Craig
>>>
>>>> set the site to windows integrated authentication, this will allow
>>>> the local users credentials to pass to the site. the outside users
>>>> credentials will not pass thru, because they are not logged into
>>>> the domain and are outside the firewall, assuming you are behind
>>>> one. this will result in a login prompt, the only problem is they
>>>> must supply the domain, username and password, unlike basic
>>>> authentication, where you can supply the domain for them. also
>>>> remember, if you are not using ssl, these credentials, from the
>>>> outside, will be passed in clear text.
>>>>
>>>> "Craig Carrigan" wrote in message
>>>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>>>
>>>>> I have a custom intranet that I have setup for our company. The
>>>>> access is secured using IWA and when the site is access by server
>>>>> name (QSERVER\internal) the domain user's credentials are passed
>>>>> automatically and everything is fine. This is good because we
>>>>> don't want internal users (people part of our domain) to have to
>>>>> enter a user/pass.
>>>>>
>>>>> However, one of the integrated ASP apps won't let us use an
>>>>> internal name because this intranet needs to be more of an
>>>>> extranet, so we have to use the FQDN. Our domains aren't the same
>>>>> (.local for the QSERVER and a .com for the FQDN). I've run
>>>>> "setspn -a host/www.oursite.com QSERVER" which I thought would
>>>>> allow requests from this host header to be passed with IWA, but it
>>>>> doesn't work.
>>>>>
>>>>> Our goal is to have ALL of our users, whether they are inside the
>>>>> office or outside, to use the same website address:
>>>>> http://www.oursite.com/internal but the internal users not have to
>>>>> enter a password, and all external users MUST enter one. Any
>>>>> suggestions?
>>>>>
>>>>> Server 2003
>>>>> IIS6
>>>>> web server is a DC
>>>>> Thanks!
>>>>> C

Re: A little help (kerberos, netbios, and SPN... oh my!)

Hi,

Add it to the Intranet zone, not Trusted Sites. See:
http://support.microsoft.com/?id=258063

You will also be prompted if automatic logon fails because:
a) the currently logged on user does not have access
b) the configured authentication mechanism is failing (e.g. you are using
Kerberos and you can't access the DC, or you are using NTLM but you are
going through a proxy server, or HTTP Keep-Alives are not enabled)

Cheers
Ken

"Craig Carrigan" wrote in message
news:46a1ae9261c28c868de7b273470@news.giganews.com...
> Hello Consultant,
>
> I added the site to IE's trusted list and tried the portion that has IWA
> enabled and it still asks for a U/P. Any other hints or tips?
>
>> well, internet explorer see's the fqdn as a non trusted internet site
>> and won't pass the credentials. try adding the fqdn as a trusted site,
>> this should allow the credentials to be passed.
>>
>> "Craig Carrigan" wrote in message
>> news:46a1ae925f5b8c868463e11f41d@news.giganews.com...
>>
>>> I take that back, that isn't exact. When www.site.com is used with
>>> IWA enabled, instead of the netbios name, I am prompted for a U/P.
>>> When the netbios name is used there is no U/P prompted. (this is all
>>> on the internal network) I need to be able to use the public site
>>> name on the internal network and not get prompted for a password.
>>> Externally since there is no connection for kerberos, I'm sure it
>>> will fail over to NTLM and ask for a U/P. But why does the netbios
>>> name work and authenticate but the full website name does not?
>>>
>>>> Hello Consultant,
>>>>
>>>> I'm sorry I wasn't more clear. When I referenced IWA, I was saying
>>>> that the site IS using integrated windows auth. However, from
>>>> outside using a non NETBIOS name (FQDN) the password isn't accepted.
>>>> Thanks for your help!
>>>>
>>>> Craig
>>>>
>>>>> set the site to windows integrated authentication, this will allow
>>>>> the local users credentials to pass to the site. the outside users
>>>>> credentials will not pass thru, because they are not logged into
>>>>> the domain and are outside the firewall, assuming you are behind
>>>>> one. this will result in a login prompt, the only problem is they
>>>>> must supply the domain, username and password, unlike basic
>>>>> authentication, where you can supply the domain for them. also
>>>>> remember, if you are not using ssl, these credentials, from the
>>>>> outside, will be passed in clear text.
>>>>>
>>>>> "Craig Carrigan" wrote in message
>>>>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>>>>
>>>>>> I have a custom intranet that I have setup for our company. The
>>>>>> access is secured using IWA and when the site is access by server
>>>>>> name (QSERVER\internal) the domain user's credentials are passed
>>>>>> automatically and everything is fine. This is good because we
>>>>>> don't want internal users (people part of our domain) to have to
>>>>>> enter a user/pass.
>>>>>>
>>>>>> However, one of the integrated ASP apps won't let us use an
>>>>>> internal name because this intranet needs to be more of an
>>>>>> extranet, so we have to use the FQDN. Our domains aren't the same
>>>>>> (.local for the QSERVER and a .com for the FQDN). I've run
>>>>>> "setspn -a host/www.oursite.com QSERVER" which I thought would
>>>>>> allow requests from this host header to be passed with IWA, but it
>>>>>> doesn't work.
>>>>>>
>>>>>> Our goal is to have ALL of our users, whether they are inside the
>>>>>> office or outside, to use the same website address:
>>>>>> http://www.oursite.com/internal but the internal users not have to
>>>>>> enter a password, and all external users MUST enter one. Any
>>>>>> suggestions?
>>>>>>
>>>>>> Server 2003
>>>>>> IIS6
>>>>>> web server is a DC
>>>>>> Thanks!
>>>>>> C
>
>

Re: A little help (kerberos, netbios, and SPN... oh my!)

Hello Ken,

Thanks Ken. I was able to get it working with Intranet sites. The issue
was that I was using a HOSTS file to map the domain that will be used in
the future, and it did not seem to like that. I since then used DNS to change
the name properly and it all functions. Thanks for all of your help everyone.

Craig

> Hi,
>
> Add it to the Intranet zone, not Trusted Sites. See:
> http://support.microsoft.com/?id=258063
>
> You will also be prompted if automatic logon fails because:
> a) the currently logged on user does not have access
> b) the configured authentication mechanism is failing (e.g. you are
> using
> Kerberos and you can't access the DC, or you are using NTLM but you
> are
> going through a proxy server, or HTTP Keep-Alives are not enabled)
> Cheers
> Ken
> "Craig Carrigan" wrote in message
> news:46a1ae9261c28c868de7b273470@news.giganews.com...
>
>> Hello Consultant,
>>
>> I added the site to IE's trusted list and tried the portion that has
>> IWA enabled and it still asks for a U/P. Any other hints or tips?
>>
>>> well, internet explorer see's the fqdn as a non trusted internet
>>> site and won't pass the credentials. try adding the fqdn as a
>>> trusted site, this should allow the credentials to be passed.
>>>
>>> "Craig Carrigan" wrote in message
>>> news:46a1ae925f5b8c868463e11f41d@news.giganews.com...
>>>
>>>> I take that back, that isn't exact. When www.site.com is used with
>>>> IWA enabled, instead of the netbios name, I am prompted for a U/P.
>>>> When the netbios name is used there is no U/P prompted. (this is
>>>> all on the internal network) I need to be able to use the public
>>>> site name on the internal network and not get prompted for a
>>>> password. Externally since there is no connection for kerberos, I'm
>>>> sure it will fail over to NTLM and ask for a U/P. But why does the
>>>> netbios name work and authenticate but the full website name does
>>>> not?
>>>>
>>>>> Hello Consultant,
>>>>>
>>>>> I'm sorry I wasn't more clear. When I referenced IWA, I was
>>>>> saying that the site IS using integrated windows auth. However,
>>>>> from outside using a non NETBIOS name (FQDN) the password isn't
>>>>> accepted. Thanks for your help!
>>>>>
>>>>> Craig
>>>>>
>>>>>> set the site to windows integrated authentication, this will
>>>>>> allow the local users credentials to pass to the site. the
>>>>>> outside users credentials will not pass thru, because they are
>>>>>> not logged into the domain and are outside the firewall, assuming
>>>>>> you are behind one. this will result in a login prompt, the only
>>>>>> problem is they must supply the domain, username and password,
>>>>>> unlike basic authentication, where you can supply the domain for
>>>>>> them. also remember, if you are not using ssl, these credentials,
>>>>>> from the outside, will be passed in clear text.
>>>>>>
>>>>>> "Craig Carrigan" wrote in message
>>>>>> news:46a1ae9259f88c8678b28b7813c@news.giganews.com...
>>>>>>
>>>>>>> I have a custom intranet that I have setup for our company. The
>>>>>>> access is secured using IWA and when the site is access by
>>>>>>> server name (QSERVER\internal) the domain user's credentials are
>>>>>>> passed automatically and everything is fine. This is good
>>>>>>> because we don't want internal users (people part of our domain)
>>>>>>> to have to enter a user/pass.
>>>>>>>
>>>>>>> However, one of the integrated ASP apps won't let us use an
>>>>>>> internal name because this intranet needs to be more of an
>>>>>>> extranet, so we have to use the FQDN. Our domains aren't the
>>>>>>> same (.local for the QSERVER and a .com for the FQDN). I've run
>>>>>>> "setspn -a host/www.oursite.com QSERVER" which I thought would
>>>>>>> allow requests from this host header to be passed with IWA, but
>>>>>>> it doesn't work.
>>>>>>>
>>>>>>> Our goal is to have ALL of our users, whether they are inside
>>>>>>> the office or outside, to use the same website address:
>>>>>>> http://www.oursite.com/internal but the internal users not have
>>>>>>> to enter a password, and all external users MUST enter one. Any
>>>>>>> suggestions?
>>>>>>>
>>>>>>> Server 2003
>>>>>>> IIS6
>>>>>>> web server is a DC
>>>>>>> Thanks!
>>>>>>> C