permissions to some not domain users to access intranet

Hi,

I use IIS6 to publish our intranet , such IIS website is in a x.main.org AD
childomain; there are no issues for x.main.org users to access such website.

The AD domain is a multi-site AD windows2003 domain where there are
a.b.c.d.e..main.org domains.

What do I need to set to keep providing intranet access to all x.main.org
users and at the same time grant access to "some" of the a.main.org and
b.main.org users?

thx
Eric

Re: permissions to some not domain users to access intranet

This is not really an IIS question as something like ISA Server. If you
have ISA in-front of your IIS boxes, you can control by group.

--

Best regards,

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield


wrote in message
news:e2HmaFf$HHA.4828@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> I use IIS6 to publish our intranet , such IIS website is in a x.main.org
> AD childomain; there are no issues for x.main.org users to access such
> website.
>
> The AD domain is a multi-site AD windows2003 domain where there are
> a.b.c.d.e..main.org domains.
>
> What do I need to set to keep providing intranet access to all x.main.org
> users and at the same time grant access to "some" of the a.main.org and
> b.main.org users?
>
> thx
> Eric
>

Re: permissions to some not domain users to access intranet

Hi,

I do not use or plan to use iSA.

Please do you have anyway that IIS6.0 could be granular and grant access to
all x.main.org
users and at the same time grant access to "some" of the a.main.org and
b.main.org users?

thx
eric
"Steve Schofield" wrote in message
news:eYYSx0h$HHA.1164@TK2MSFTNGP02.phx.gbl...
> This is not really an IIS question as something like ISA Server. If you
> have ISA in-front of your IIS boxes, you can control by group.
>
> --
>
> Best regards,
>
> Steve Schofield
> Windows Server MVP - IIS
> http://weblogs.asp.net/steveschofield
>
>
> wrote in message
> news:e2HmaFf$HHA.4828@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> I use IIS6 to publish our intranet , such IIS website is in a x.main.org
>> AD childomain; there are no issues for x.main.org users to access such
>> website.
>>
>> The AD domain is a multi-site AD windows2003 domain where there are
>> a.b.c.d.e..main.org domains.
>>
>> What do I need to set to keep providing intranet access to all x.main.org
>> users and at the same time grant access to "some" of the a.main.org and
>> b.main.org users?
>>
>> thx
>> Eric
>>
>

Re: permissions to some not domain users to access intranet

Really, your question has nothing to do with IIS. You may find better
support for your question elsewhere, like Active Directory.

IIS6 in a domain will use AD and NTFS ACLs to provide granular access
control. All you need to do is establish the correct trust between
those AD sites and ACL files correctly, and IIS will work.

How do you plan to establish AD trust between these sites to allow
access by some of a.main.org and b.main.org ?

For example, you can establish one-way trust (or two-way trust --
depends on your AD-needs -- has nothing to do with IIS) between
a.main.org and x.main.org, at which point you can ACL resources on
x.main.org for a.main.org, and IIS will simply reuse your trust
configuration and work.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Sep 24, 2:25 am, "eric romero" wrote:
> Hi,
>
> I do not use or plan to use iSA.
>
> Please do you have anyway that IIS6.0 could be granular and grant access to
> all x.main.org
> users and at the same time grant access to "some" of the a.main.org and
> b.main.org users?
>
> thx
> eric"Steve Schofield" wrote in message
>
> news:eYYSx0h$HHA.1164@TK2MSFTNGP02.phx.gbl...
>
>
>
> > This is not really an IIS question as something like ISA Server. If you
> > have ISA in-front of your IIS boxes, you can control by group.
>
> > --
>
> > Best regards,
>
> > Steve Schofield
> > Windows Server MVP - IIS
> >http://weblogs.asp.net/steveschofield
>
> > wrote in message
> >news:e2HmaFf$HHA.4828@TK2MSFTNGP04.phx.gbl...
> >> Hi,
>
> >> I use IIS6 to publish our intranet , such IIS website is in a x.main.org
> >> AD childomain; there are no issues for x.main.org users to access such
> >> website.
>
> >> The AD domain is a multi-site AD windows2003 domain where there are
> >> a.b.c.d.e..main.org domains.
>
> >> What do I need to set to keep providing intranet access to all x.main.org
> >> users and at the same time grant access to "some" of the a.main.org and
> >> b.main.org users?
>
> >> thx
> >> Eric- Hide quoted text -
>
> - Show quoted text -

Re: permissions to some not domain users to access intranet

a.main.org and b.main.org trust are already in place. because both domains
belong to the same AD forest main.org
I still think this is an IIS question because the IIS authentication has
been set to domain a.main.org in the default domain settings. so how can I
make IIS authentication to also grant access to "some" b.main.org users?

"David Wang" wrote in message
news:1190683100.163477.292450@g4g2000hsf.googlegroups.com...
> Really, your question has nothing to do with IIS. You may find better
> support for your question elsewhere, like Active Directory.
>
> IIS6 in a domain will use AD and NTFS ACLs to provide granular access
> control. All you need to do is establish the correct trust between
> those AD sites and ACL files correctly, and IIS will work.
>
> How do you plan to establish AD trust between these sites to allow
> access by some of a.main.org and b.main.org ?
>
> For example, you can establish one-way trust (or two-way trust --
> depends on your AD-needs -- has nothing to do with IIS) between
> a.main.org and x.main.org, at which point you can ACL resources on
> x.main.org for a.main.org, and IIS will simply reuse your trust
> configuration and work.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Sep 24, 2:25 am, "eric romero" wrote:
>> Hi,
>>
>> I do not use or plan to use iSA.
>>
>> Please do you have anyway that IIS6.0 could be granular and grant access
>> to
>> all x.main.org
>> users and at the same time grant access to "some" of the a.main.org and
>> b.main.org users?
>>
>> thx
>> eric"Steve Schofield" wrote in message
>>
>> news:eYYSx0h$HHA.1164@TK2MSFTNGP02.phx.gbl...
>>
>>
>>
>> > This is not really an IIS question as something like ISA Server. If
>> > you
>> > have ISA in-front of your IIS boxes, you can control by group.
>>
>> > --
>>
>> > Best regards,
>>
>> > Steve Schofield
>> > Windows Server MVP - IIS
>> >http://weblogs.asp.net/steveschofield
>>
>> > wrote in message
>> >news:e2HmaFf$HHA.4828@TK2MSFTNGP04.phx.gbl...
>> >> Hi,
>>
>> >> I use IIS6 to publish our intranet , such IIS website is in a
>> >> x.main.org
>> >> AD childomain; there are no issues for x.main.org users to access such
>> >> website.
>>
>> >> The AD domain is a multi-site AD windows2003 domain where there are
>> >> a.b.c.d.e..main.org domains.
>>
>> >> What do I need to set to keep providing intranet access to all
>> >> x.main.org
>> >> users and at the same time grant access to "some" of the a.main.org
>> >> and
>> >> b.main.org users?
>>
>> >> thx
>> >> Eric- Hide quoted text -
>>
>> - Show quoted text -
>
>

Re: permissions to some not domain users to access intranet

You should enable Windows Authentication and set NTFS ACLS on the
resources served by IIS to grant access to "some" b.main.org users.
Are you unable to ACL resources to grant access to some b.main.org
users, or are you using some other custom authentication scheme unable
to authenticate against b.main.org users?

This is not an IIS question because there is no such thing as "make
IIS authentication to also grant access to some b.main.org users". IIS
has no such authentication nor authorization control. Active Directory/
SAM provides Authentication, and NTFS provides Authorization control.
You have to configure those things properly to give the illusion of
"accessing through IIS".

All IIS does is logon a user against either Active Directory/SAM and
then AccessCheck() that token against NTFS ACLs.

Where is IIS granting access to some b.main.org user? Absolutely
nowhere. YOU grant NTFS ACLs to b.main.org users on the resources, and
YOU configure IIS to require user authentication, and the rest take
care of themselves.

Now, I'm thinking of your curious wording about "set to domain
a.main.org in the default domain settings". The only authentication
protocol protocol which allows setting "domain" is Basic
authentication, and if you are using that, then you are causing your
own problems by setting a.main.org as the default domain and making
all users, including those from b.main.org. You fix this by not using
basic authentication. No, there's no way selectively disable defaults
to grant access because that's a catch-22. How do you figure out a
user is from b.main.org when you force IIS to authenticate against
a.main.org? There's no security protocol that works like "if I fail to
authenticate user against default domain then try this other domain".

The easiest solution is to use Windows Authentication. With trust
established, users will automatically login to IIS as their own domain
account, and everything just works.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Sep 27, 3:33 pm, "msnews.microsoft.com" wrote:
> a.main.org and b.main.org trust are already in place. because both domains
> belong to the same AD forest main.org
> I still think this is an IIS question because the IIS authentication has
> been set to domain a.main.org in the default domain settings. so how can I
> make IIS authentication to also grant access to "some" b.main.org users?
>
> "David Wang" wrote in message
>
> news:1190683100.163477.292450@g4g2000hsf.googlegroups.com...
>
>
>
> > Really, your question has nothing to do with IIS. You may find better
> > support for your question elsewhere, like Active Directory.
>
> > IIS6 in a domain will use AD and NTFS ACLs to provide granular access
> > control. All you need to do is establish the correct trust between
> > those AD sites and ACL files correctly, and IIS will work.
>
> > How do you plan to establish AD trust between these sites to allow
> > access by some of a.main.org and b.main.org ?
>
> > For example, you can establish one-way trust (or two-way trust --
> > depends on your AD-needs -- has nothing to do with IIS) between
> > a.main.org and x.main.org, at which point you can ACL resources on
> > x.main.org for a.main.org, and IIS will simply reuse your trust
> > configuration and work.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Sep 24, 2:25 am, "eric romero" wrote:
> >> Hi,
>
> >> I do not use or plan to use iSA.
>
> >> Please do you have anyway that IIS6.0 could be granular and grant access
> >> to
> >> all x.main.org
> >> users and at the same time grant access to "some" of the a.main.org and
> >> b.main.org users?
>
> >> thx
> >> eric"Steve Schofield" wrote in message
>
> >>news:eYYSx0h$HHA.1164@TK2MSFTNGP02.phx.gbl...
>
> >> > This is not really an IIS question as something like ISA Server. If
> >> > you
> >> > have ISA in-front of your IIS boxes, you can control by group.
>
> >> > --
>
> >> > Best regards,
>
> >> > Steve Schofield
> >> > Windows Server MVP - IIS
> >> >http://weblogs.asp.net/steveschofield
>
> >> > wrote in message
> >> >news:e2HmaFf$HHA.4828@TK2MSFTNGP04.phx.gbl...
> >> >> Hi,
>
> >> >> I use IIS6 to publish our intranet , such IIS website is in a
> >> >> x.main.org
> >> >> AD childomain; there are no issues for x.main.org users to access such
> >> >> website.
>
> >> >> The AD domain is a multi-site AD windows2003 domain where there are
> >> >> a.b.c.d.e..main.org domains.
>
> >> >> What do I need to set to keep providing intranet access to all
> >> >> x.main.org
> >> >> users and at the same time grant access to "some" of the a.main.org
> >> >> and
> >> >> b.main.org users?
>
> >> >> thx
> >> >> Eric- Hide quoted text -
>
> >> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -