Client and Server NTLM authentication
am 09.07.2007 19:46:03 von reuben_hecquet
I have a configuration where integrated authentication is enabled for
an IIS6 website. Some of the users are logging into their machines on
a secure section of the network that has very limited access to the
webserver (only HTTP traffic permitted). The clients logon to a
foreign domain that has no trust or similar.
When these users try and access the website they get as expected a
logon prompt (the account they have logged on with has no access to
this site) where they can enter the credentials of an account for the
domain that website knows about and has appropiate access. However
there is a time issue in that the clients try to contact a DC in this
domain before the webserver will try and authenticate them (they
cannot do this due to security lockdown at the network level). After
about 15secs the client gives up trying to authenticate with the DC
directly and passes the relevant NTLM details in a HTTP packet and
gets authenticated.
I wanted to know if there is a way that I can force the client to do
this without trying to be authenicated directly by the DC itself.
Hope this makes sense. If not I can attempt to explain it better.
Any help much appreciated.
Re: Client and Server NTLM authentication
am 10.07.2007 04:21:28 von David Wang
On Jul 9, 10:46 am, reuben_hecq...@hotmail.com wrote:
> I have a configuration where integrated authentication is enabled for
> an IIS6 website. Some of the users are logging into their machines on
> a secure section of the network that has very limited access to the
> webserver (only HTTP traffic permitted). The clients logon to a
> foreign domain that has no trust or similar.
>
> When these users try and access the website they get as expected a
> logon prompt (the account they have logged on with has no access to
> this site) where they can enter the credentials of an account for the
> domain that website knows about and has appropiate access. However
> there is a time issue in that the clients try to contact a DC in this
> domain before the webserver will try and authenticate them (they
> cannot do this due to security lockdown at the network level). After
> about 15secs the client gives up trying to authenticate with the DC
> directly and passes the relevant NTLM details in a HTTP packet and
> gets authenticated.
>
> I wanted to know if there is a way that I can force the client to do
> this without trying to be authenicated directly by the DC itself.
>
> Hope this makes sense. If not I can attempt to explain it better.
>
> Any help much appreciated.
This sounds like a client-specific issue unrelated to IIS.
My suspicion is that the browser is attempting to auto-login and that
if you move the website into a zone that the browser does not auto-
login, it could stop that attempt that causes a 15 second timeout for
you.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Re: Client and Server NTLM authentication
am 10.07.2007 04:47:13 von Ken Schaefer
Sounds like the client is attempting Kerberos authentication first. It is
contacting a Domain Controller to either get a service ticket -or- get a
referral to a DC that can give the client a service ticket (i.e. a DC in
another domain).
As David mentioned, change the zone type so that the client doesn't attempt
Kerberos Authentication (e.g. Internet security zone - but this will also
stop auto-logon) -or- uncheck the "Use Integrated Windows Authentication" in
the advanced options (this however disables Kerberos authentication for all
websites that the browser accesses)
Cheers
Ken
wrote in message
news:1184003163.254696.41160@22g2000hsm.googlegroups.com...
>I have a configuration where integrated authentication is enabled for
> an IIS6 website. Some of the users are logging into their machines on
> a secure section of the network that has very limited access to the
> webserver (only HTTP traffic permitted). The clients logon to a
> foreign domain that has no trust or similar.
>
> When these users try and access the website they get as expected a
> logon prompt (the account they have logged on with has no access to
> this site) where they can enter the credentials of an account for the
> domain that website knows about and has appropiate access. However
> there is a time issue in that the clients try to contact a DC in this
> domain before the webserver will try and authenticate them (they
> cannot do this due to security lockdown at the network level). After
> about 15secs the client gives up trying to authenticate with the DC
> directly and passes the relevant NTLM details in a HTTP packet and
> gets authenticated.
>
> I wanted to know if there is a way that I can force the client to do
> this without trying to be authenicated directly by the DC itself.
>
> Hope this makes sense. If not I can attempt to explain it better.
>
> Any help much appreciated.
>