Domain Authentication in IIS 6 using Integrated Windows Authentica

I have an IIS 6 server running in our Intranet (not a domain controller). I
set some folders to be protected by requiring users to be authenticated using
Integrated Windows Authentication. This works with the users entering their
username (and password of course) in the format of
USERNAME@myinternaldomain.com or myinternaldomain.com\USERNAME.

My CEO wants us to just be able to use the simple USERNAME format. I have
been reading the technet articles, blogs, forums and I now believe that the
only way I could do this is to change the metabase setting of
"DefaultLogonDomain" to be set to myinternaldomain.com .

I believe that this issues was discussed somewhat in a 12/9 posting on this
forum entitled "Login not require a domain in IIS hosted site?" but the
possibility of modifying the metabase "DefaultLogonDomain" property was not
mentioned nor shot down as a real possibility.

Finally, thanks to anyone who posts a reply. Looking through the previous
posts I am amazed at the knowledge and even the kindness of folks who are
posting answers.

RE: Domain Authentication in IIS 6 using Integrated Windows Authentica

Jim

Do you want to be prompted for a username and password or do you want
automatic logon?

If you want username password (as you suggest below) then I suggest you use
Basic Authentication (or digest) rather than Integrated Windows. This being
the case, you can then set the domain and realm to be you domain in the IIS
admin console (on the security dialog under authentication type). If you do
this, you won't need to enter the domain when prompted for credentials.

You don't mention whether you site is internet extranet or intranet so I
don't know whether you have any firewalls between you client and web server
(ie and iis) but if you do then integrated windows auth won't work that well
anyway.

"Jim R" wrote:

> I have an IIS 6 server running in our Intranet (not a domain controller). I
> set some folders to be protected by requiring users to be authenticated using
> Integrated Windows Authentication. This works with the users entering their
> username (and password of course) in the format of
> USERNAME@myinternaldomain.com or myinternaldomain.com\USERNAME.
>
> My CEO wants us to just be able to use the simple USERNAME format. I have
> been reading the technet articles, blogs, forums and I now believe that the
> only way I could do this is to change the metabase setting of
> "DefaultLogonDomain" to be set to myinternaldomain.com .
>
> I believe that this issues was discussed somewhat in a 12/9 posting on this
> forum entitled "Login not require a domain in IIS hosted site?" but the
> possibility of modifying the metabase "DefaultLogonDomain" property was not
> mentioned nor shot down as a real possibility.
>
> Finally, thanks to anyone who posts a reply. Looking through the previous
> posts I am amazed at the knowledge and even the kindness of folks who are
> posting answers.

RE: Domain Authentication in IIS 6 using Integrated Windows Authen

Dear Ingenious (nice play on words there)

First, thanks for your response. It addresses several key issues related to
authentication and the key questions to ask/address when trying to do this
thing.
And, my apologies for not including the firewall/intranet/internet info. I
thought about doing it and then the phone rang or something.

FIREWALL QUESTION:
I would like this to work both on the Intranet and Internet level. On the
Intranet level, there would be no firewall between the IIS and the web
client. On the Internet level there would be one. Note that there is no
firewall between the IIS and the Domain Controller as we are using a
one-to-one NAT for external port 80 traffic which directs Internet requests
to the web server. This was the recommended config by our firewall vendor
(Watchguard).

Currently, the Integrated Windows Authentication works identically whether
inside or outside our network. I believe that this is because the IIS and
the Active Directory are in the same network.

The only downside is what is considered to be the "strange username format."

DIGEST vs BASIC AUTHENTICATION MODES
Let me start by throwing out BASIC as I don't want the clear text
transmittal of passwords. So then, I jump headlong into a vast pool of my
own ignorance with regard to DIGEST mode. From my readings I see that it
requires a ?reverse hash of the encrypted password? to be stored in
something. That whole phraseology made me a bit concerned that I was opening
up a security hole.

My apologies for not being better informed on the realities of all that is
related to Digest mode. The reality is that we are fearful of what we don't
understand. So at the moment I am fearful of Digest mode (though perhaps my
fear is misplaced).

I did try briefly to enable digest mode on my test box in my domain and did
not have success. I assume that this was because I did not reset my password
thus enabling the reverse-hash-whatevering to occur.

CONCLUSION:
The Digest mode would certainly allow me to set the default domain though I
am still uncertain of the security impact of using it. Basic would also
accomplish my objective but I am sure of the security impact of using clear
text passwords over the Internet. I am still curious about the potential use
of the DefaultLogonDomain property in the Metabase.

Thanks again.

--
Jim R


"Indigenous" wrote:

> Jim
>
> Do you want to be prompted for a username and password or do you want
> automatic logon?
>
> If you want username password (as you suggest below) then I suggest you use
> Basic Authentication (or digest) rather than Integrated Windows. This being
> the case, you can then set the domain and realm to be you domain in the IIS
> admin console (on the security dialog under authentication type). If you do
> this, you won't need to enter the domain when prompted for credentials.
>
> You don't mention whether you site is internet extranet or intranet so I
> don't know whether you have any firewalls between you client and web server
> (ie and iis) but if you do then integrated windows auth won't work that well
> anyway.
>
> "Jim R" wrote:
>
> > I have an IIS 6 server running in our Intranet (not a domain controller). I
> > set some folders to be protected by requiring users to be authenticated using
> > Integrated Windows Authentication. This works with the users entering their
> > username (and password of course) in the format of
> > USERNAME@myinternaldomain.com or myinternaldomain.com\USERNAME.
> >
> > My CEO wants us to just be able to use the simple USERNAME format. I have
> > been reading the technet articles, blogs, forums and I now believe that the
> > only way I could do this is to change the metabase setting of
> > "DefaultLogonDomain" to be set to myinternaldomain.com .
> >
> > I believe that this issues was discussed somewhat in a 12/9 posting on this
> > forum entitled "Login not require a domain in IIS hosted site?" but the
> > possibility of modifying the metabase "DefaultLogonDomain" property was not
> > mentioned nor shot down as a real possibility.
> >
> > Finally, thanks to anyone who posts a reply. Looking through the previous
> > posts I am amazed at the knowledge and even the kindness of folks who are
> > posting answers.

RE: Domain Authentication in IIS 6 using Integrated Windows Authen

I am curiuos if anyone has a suggestion about the use of the metabase
property "DefaultLogonDomain" to accomplish the purposes of pointing the IIS
server to authenticate against the domain instead of the local machine
database.

--
Jim R


"K12-Jammer" wrote:

> Dear Ingenious (nice play on words there)
>
> First, thanks for your response. It addresses several key issues related to
> authentication and the key questions to ask/address when trying to do this
> thing.
> And, my apologies for not including the firewall/intranet/internet info. I
> thought about doing it and then the phone rang or something.
>
> FIREWALL QUESTION:
> I would like this to work both on the Intranet and Internet level. On the
> Intranet level, there would be no firewall between the IIS and the web
> client. On the Internet level there would be one. Note that there is no
> firewall between the IIS and the Domain Controller as we are using a
> one-to-one NAT for external port 80 traffic which directs Internet requests
> to the web server. This was the recommended config by our firewall vendor
> (Watchguard).
>
> Currently, the Integrated Windows Authentication works identically whether
> inside or outside our network. I believe that this is because the IIS and
> the Active Directory are in the same network.
>
> The only downside is what is considered to be the "strange username format."
>
> DIGEST vs BASIC AUTHENTICATION MODES
> Let me start by throwing out BASIC as I don't want the clear text
> transmittal of passwords. So then, I jump headlong into a vast pool of my
> own ignorance with regard to DIGEST mode. From my readings I see that it
> requires a ?reverse hash of the encrypted password? to be stored in
> something. That whole phraseology made me a bit concerned that I was opening
> up a security hole.
>
> My apologies for not being better informed on the realities of all that is
> related to Digest mode. The reality is that we are fearful of what we don't
> understand. So at the moment I am fearful of Digest mode (though perhaps my
> fear is misplaced).
>
> I did try briefly to enable digest mode on my test box in my domain and did
> not have success. I assume that this was because I did not reset my password
> thus enabling the reverse-hash-whatevering to occur.
>
> CONCLUSION:
> The Digest mode would certainly allow me to set the default domain though I
> am still uncertain of the security impact of using it. Basic would also
> accomplish my objective but I am sure of the security impact of using clear
> text passwords over the Internet. I am still curious about the potential use
> of the DefaultLogonDomain property in the Metabase.
>
> Thanks again.
>
> --
> Jim R
>
>
> "Indigenous" wrote:
>
> > Jim
> >
> > Do you want to be prompted for a username and password or do you want
> > automatic logon?
> >
> > If you want username password (as you suggest below) then I suggest you use
> > Basic Authentication (or digest) rather than Integrated Windows. This being
> > the case, you can then set the domain and realm to be you domain in the IIS
> > admin console (on the security dialog under authentication type). If you do
> > this, you won't need to enter the domain when prompted for credentials.
> >
> > You don't mention whether you site is internet extranet or intranet so I
> > don't know whether you have any firewalls between you client and web server
> > (ie and iis) but if you do then integrated windows auth won't work that well
> > anyway.
> >
> > "Jim R" wrote:
> >
> > > I have an IIS 6 server running in our Intranet (not a domain controller). I
> > > set some folders to be protected by requiring users to be authenticated using
> > > Integrated Windows Authentication. This works with the users entering their
> > > username (and password of course) in the format of
> > > USERNAME@myinternaldomain.com or myinternaldomain.com\USERNAME.
> > >
> > > My CEO wants us to just be able to use the simple USERNAME format. I have
> > > been reading the technet articles, blogs, forums and I now believe that the
> > > only way I could do this is to change the metabase setting of
> > > "DefaultLogonDomain" to be set to myinternaldomain.com .
> > >
> > > I believe that this issues was discussed somewhat in a 12/9 posting on this
> > > forum entitled "Login not require a domain in IIS hosted site?" but the
> > > possibility of modifying the metabase "DefaultLogonDomain" property was not
> > > mentioned nor shot down as a real possibility.
> > >
> > > Finally, thanks to anyone who posts a reply. Looking through the previous
> > > posts I am amazed at the knowledge and even the kindness of folks who are
> > > posting answers.