DefaultLogonDomain attribute and Integrated Windows Authentication

DefaultLogonDomain attribute and Integrated Windows Authentication

am 30.12.2007 18:46:50 von Steve Schofield

I'm sure Ken knows this, but I'm trying to figure out if it's possible to
have a user just type in their AD account when using Integrated Windows
Authentication and IIS 6. I turned off anonymous logins so it would prompt
me and set the 'DefaultLogonDomain' metabase to 'DOMAIN'. When I tested
accessing the site, I still had to type DOMAIN\USER instead of 'USER'. If I
enabled 'BASIC' authentication and filled in the 'Default Domain', I didn't
have to type the domain name. Is there a workaround to not have to type the
NetBIOS name such as "DOMAIN\USER" when using Integrated Windows
Authentication?

--

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

Re: DefaultLogonDomain attribute and Integrated Windows Authentication

am 30.12.2007 20:08:23 von Steve Schofield

Things aren't looking too promising. Per David Wang in a prior post. I
believe FTP uses Basic Authentication, well it sends stuff in clear text, so
I can presume using this attribute is fine. I've had success setting this
attribute with FTP and AD accounts, but not having too much luck with IWA
and WWW.

http://www.issociate.de/board/post/427902/Integrated_Windows _Authentication_and_Domain_prefix_on_popup.html

"You need the domain prefix for a wide variety of security reasons. And for
the same security reasons, one cannot "prefix" or otherwise modify the user
principal prior to credential validation -- so you have to give both domain
and username in some form. Unfortunately, most clients' eyes glaze over by
the time one goes through the reasons. ;-)

Now, you can enable UPN and those non-techie clients can enter username [at]
domain.com instead of remembering a "domain prefix". I think it is a
reasonable solution since most websites seem to use either username or
username [at] domain.com and people seem ok with remembering
it.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//"


--

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield


"Steve Schofield" wrote in message
news:OTva2vwSIHA.5400@TK2MSFTNGP04.phx.gbl...
> I'm sure Ken knows this, but I'm trying to figure out if it's possible to
> have a user just type in their AD account when using Integrated Windows
> Authentication and IIS 6. I turned off anonymous logins so it would
> prompt me and set the 'DefaultLogonDomain' metabase to 'DOMAIN'. When I
> tested accessing the site, I still had to type DOMAIN\USER instead of
> 'USER'. If I enabled 'BASIC' authentication and filled in the 'Default
> Domain', I didn't have to type the domain name. Is there a workaround to
> not have to type the NetBIOS name such as "DOMAIN\USER" when using
> Integrated Windows Authentication?
>
> --
>
> Steve Schofield
> Windows Server MVP - IIS
> http://weblogs.asp.net/steveschofield
>
>

Re: DefaultLogonDomain attribute and Integrated Windows Authentication

am 31.12.2007 10:33:14 von Ken Schaefer

I don't believe that this is possible because both IWA authentication
methods (NTLM and Kerberos) require that the Domain be specified.

For NTLM, the Domain\Username is part of the hash generated by the client.
The server can't tamper with the supplied hash.

For Kerberos, the Domain\Username supplied by the user is used to obtain the
necessary authenticator to the web server.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"Steve Schofield" wrote in message
news:OTva2vwSIHA.5400@TK2MSFTNGP04.phx.gbl...
> I'm sure Ken knows this, but I'm trying to figure out if it's possible to
> have a user just type in their AD account when using Integrated Windows
> Authentication and IIS 6. I turned off anonymous logins so it would
> prompt me and set the 'DefaultLogonDomain' metabase to 'DOMAIN'. When I
> tested accessing the site, I still had to type DOMAIN\USER instead of
> 'USER'. If I enabled 'BASIC' authentication and filled in the 'Default
> Domain', I didn't have to type the domain name. Is there a workaround to
> not have to type the NetBIOS name such as "DOMAIN\USER" when using
> Integrated Windows Authentication?
>
> --
>
> Steve Schofield
> Windows Server MVP - IIS
> http://weblogs.asp.net/steveschofield
>
>