Domain Name Restriction Problem

TheMSsForum.com: The Microsoft Software Forum

I have an IIS application with the following security configuration:

- Authentication Mode = "Anonymous"
- IP Address and Domain Name Restrictions: Deny all except *.mil

There is a user who is unable to get in (403.7 error), even though he
is coming from a .mil address (confirmed by running "ipconfig -a
<ip_address>" from the server).

Of course I can temporarily overcome this problem by explicitly adding
his IP address, but then what happens down the road if he gets assigned
a different address?

Does anyone have any ideas on where I should start looking -- e.g.,
specific local policy settings that need to be tweaked -- for a
possible permanent fix?

Thanks in advance for any helpful hints!
Top

Re: Domain Name Restriction Problem by Daniel

Daniel
Tue Jan 16 12:06:09 CST 2007

jcpc48@gmail.com wrote on 16 Jan 2007 09:53:54 -0800:

> I have an IIS application with the following security configuration:
>
> - Authentication Mode = "Anonymous"
> - IP Address and Domain Name Restrictions: Deny all except *.mil
>
> There is a user who is unable to get in (403.7 error), even though he
> is coming from a .mil address (confirmed by running "ipconfig -a
> <ip_address>" from the server).

You sure it's 403.7? That means he hasn't got a client certificate and IIS
requires one. 403.6 would be the IP address rejected code.

> Of course I can temporarily overcome this problem by explicitly adding
> his IP address, but then what happens down the road if he gets assigned
> a different address?
>
> Does anyone have any ideas on where I should start looking -- e.g.,
> specific local policy settings that need to be tweaked -- for a
> possible permanent fix?
>
> Thanks in advance for any helpful hints!

Have you tried nslookup to check that one, and only one .mil hostname is
being returned for a lookup on the IP address? It could be that if there are
multiple responses that IIS is picking up the wrong one. Have you checked
for DNS server errors in the DNS server IIS is using in case there are
problems with the return data?

Dan


Top

Re: Domain Name Restriction Problem by jcpc48

jcpc48
Tue Jan 16 13:00:21 CST 2007

Dan,

Thanks for the quick reply.

Good catch -- it was 403.6, not 403.7. It appears that I'm typing
faster than I'm thinking today (you probably also noticed that I said
"ipconfig -a" when I meant "ping -a").

As you suggested, I tried nslookup, but it returned only one hit, so I
guess the next step is to locate the sysadmin for the DNS server and
ask for help.

Thanks again,
Jeff

Top