IIS 6 Authentication Question

Hi, folks

I have a dev site setup on IIS 6/W2K3 that is in addition to the default site and administrative site on the server. Anonymous access it turned off. It's running on port 80, with no SSL port. I have established a local group whose members have access to the whole site folder. Windows Integrated Authentication is selected for the authentication type

I can access it via my personal ISP from home and get appropriately challenged for domain/user/pswd. However, when I try to access it from work, with default browser settings, I get the error below my sig. I do use a proxy at work setup for 80/443/21. Questions

1) Is this possibly a firewall/proxy problem? Considering the political landscape regarding our network security group, getting a firewall exception will be impossible

2) I tried assigning SSL port 443 to the dev site (using TCP port 8099), but because the administrative site is already using it, I received errors when trying to use it on my dev site. I have purchased a certificate (via my hosting provider), but quite frankly do not know the first thing (yet) about implementing one. Q1) Do you think I could successfully connect using Basic Authentication? Q2) I'd prefer to use SSL, so does anybody have any good "get started" links and/or know how I can overcome my admin site's use of 443

TIA

Bo
webguybob@hotmail.co
MSN Messenger at same addres

<404 Error
You are not authorized to view this pag
You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.
-------------------------------------------------------------------------------

Please try the following

Contact the Web site administrator if you believe you should be able to view this directory or page.
Click the Refresh button to try again with different credentials.
HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration
Internet Information Services (IIS

-------------------------------------------------------------------------------

Technical Information (for support personnel

Go to Microsoft Product Support Services and perform a title search for the words HTTP and 401.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Authentication, and About Custom Error Messages.
</404 Error>

Keith
Mon May 24 09:03:44 CDT 2004

> 1) Is this possibly a firewall/proxy problem? Considering the political
landscape regarding our network security group, getting a firewall exception
will be impossible.

Yes, it is likely a proxy-related issue. Windows Integrated authentication
isn't well suited to Internet-based communications. If you need to connect
via en external network (which is assumed to have a firewall, proxy or
both), you should probably be using basic authentication via SSL.

> 2) I tried assigning SSL port 443 to the dev site (using TCP port 8099),
but because the administrative site is already using it, I received errors
when trying to use it on my dev site. I have purchased a certificate (via
my hosting provider), but quite frankly do not know the first thing (yet)
about implementing one. Q1) Do you think I could successfully connect
using Basic Authentication? Q2) I'd prefer to use SSL, so does anybody
have any good "get started" links and/or know how I can overcome my admin
site's use of 443?

Go into the properties of the web site and into the advanced section next to
the IP specification. Remove the mapping to 443 there, so that the site
doesn't bind.

In general, only one SSL site can be bound to a given IP address. So you
could even go a step farther and just set the admin site to listen on some
other address that you don't translate publicly. Or, delete the admin site
if you don't really need it.

webguybob
Mon May 24 09:56:10 CDT 2004

Keith

I appreciate the prompt response. Considering that I can't get through my firewall/proxy at work in order to use the Remote Desktop Connection utility, I will need to keep the admin site running. I'm in an unfortunate position whereby I can do some things from work, but then must wait till I get home in order to use RDC for more advanced administration

So, is my best bet to assign another IP to the NIC, bind that to the Dev Site, and then try Basic Authentication over SSL/443? If I do that, there will be other unknown issues to resolve

Our current IP is the one assigned to our domain name in the hosting provider's DNS

A Name
domain.com -> 1.1.1.1 (fictitious

C Name
dev.domain.com -> domain.co

If I assign 1.1.1.2 to the server NIC and IIS host header, will dev.domain.com still resolve

Thx

Bob

Keith
Mon May 24 11:50:18 CDT 2004

> I appreciate the prompt response. Considering that I can't get through my
firewall/proxy at work in order to use the Remote Desktop Connection
utility, I will need to keep the admin site running. I'm in an unfortunate
position whereby I can do some things from work, but then must wait till I
get home in order to use RDC for more advanced administration.

Gotcha. Not many ways around that.

> Our current IP is the one assigned to our domain name in the hosting
provider's DNS:
>
> A Name:
> domain.com -> 1.1.1.1 (fictitious)
>
> C Name:
> dev.domain.com -> domain.com
>
> If I assign 1.1.1.2 to the server NIC and IIS host header, will
dev.domain.com still resolve?

No. If you use 1.1.1.2 for the dev site, dev.domain.com can no longer be an
alias for domain.com. You'd need to point dev.domain.com to the translated
address for 1.1.1.2.

anonymous
Mon May 24 12:21:07 CDT 2004

Keith,

Perhaps I don't understand the terminology, and I certainly don't attest to being a DNS guru, but how would I determine the "translated address for 1.1.1.2" and how would I point dev.domain.com to it? Perhaps if I knew the former, I could figure out the latter by using my hosting provider's DNS admin tool.

Thx,

Bob

Keith
Mon May 24 14:21:30 CDT 2004

I'm assuming you're using NAT, some type of router/firewall, etc. Correct?
That translation between the public and private addresses was what I was
referring to when I said that. If you have more than one public IP, this is
easy. If not, you might have to work around the proxy filters by disabling
certain sites to get others to work.

"WebGuyBob" <anonymous@discussions.microsoft.com> wrote in message
news:0EA64BE8-EE1E-46E1-B9DB-1D7E1EF81E31@microsoft.com...
> Keith,
>
> Perhaps I don't understand the terminology, and I certainly don't attest
to being a DNS guru, but how would I determine the "translated address for
1.1.1.2" and how would I point dev.domain.com to it? Perhaps if I knew the
former, I could figure out the latter by using my hosting provider's DNS
admin tool.
>
> Thx,
>
> Bob

brwork
Mon May 24 14:41:07 CDT 2004

Keith

My work location is using a Type 4 firewall configuration. I'm not familiar with NAT, although I've spotted it occasionally as I've been doing this research. So, I really don't know how to reply to your last statements. The box at my hosting provider does not (currently) have a firewall installed. I do have a few public IPs I can assign to the box

BTW...Basic authentication did work. However, even though I input 443 as the SSL port (temporarily disabling the admin site) in the Web site properties, I did not get prompted to accept a certificate nor did the little "lock" appear in my status bar. However, I was prompted for my username and password, which did allow me to get into the site

Rgds

Bob