Security for multi-domain setup

Hello,

I've scoured the Web but found no answers to this riddle:

I have a WAN with three domains (say, A, B and C). Domain A and B have
Windows 2000 Server ADCs and Domain C has a Windows 2003 ADC. Everything's
in Native Mode. Trust relationships are established between each domain.

Now, I have an IIS 6 server in domain A on (obviously) a Windows 2003
server. I have an intranet I wish to make available to users in domains B
and C. The virtual directory for said intranet is configured per KB168908
(Basic Authentication with the '\' in the Domain box).

If I log-in locally on the IIS server with a user from Domain B or C, I can
display the pages just fine. Of course, users from Domain A have no
problems.

However, if I try to access the page from a PC located in Domain B or C,
sometimes the page appears fine, sometimes it partially loads (text,
graphics) and then a login prompt pops-up. Sometimes, the login prompt only
appears. Typing the correct credentials dosen't seem to work. I've tried
Windows Integrated Authentication and get similar results.

I would really like for authentication to work and be transparent for users
of all 3 domains. The 3 Domains are on different networks connected through
VPN (a, gasp!, Linux solution using cipe). The VPN does not block any
traffic between the networks.

Any thoughts?

Thanks!

Jonathan Kelly
j.kelly@julien.ca

Anthony
Tue Sep 23 17:25:53 CDT 2003

Do you need authentication because it is an internal system? You could
allow Anonymous Access and then the permissions wouldn't come into play.
You just need to make sure the IUSR_<MachineName> has read permissions on
your web directory.

hope this helps,
Anthony Biondo Jr.
Senior Web Developer
Keystone Mercy Health Plan - Philadelphia, PA
anthony.biondo@kmhp.com


"Jonathan Kelly" <j.kelly@julien.ca> wrote in message
news:%23UBcf4UgDHA.2332@TK2MSFTNGP12.phx.gbl...
> Hello,
>
> I've scoured the Web but found no answers to this riddle:
>
> I have a WAN with three domains (say, A, B and C). Domain A and B have
> Windows 2000 Server ADCs and Domain C has a Windows 2003 ADC. Everything's
> in Native Mode. Trust relationships are established between each domain.
>
> Now, I have an IIS 6 server in domain A on (obviously) a Windows 2003
> server. I have an intranet I wish to make available to users in domains B
> and C. The virtual directory for said intranet is configured per KB168908
> (Basic Authentication with the '\' in the Domain box).
>
> If I log-in locally on the IIS server with a user from Domain B or C, I
can
> display the pages just fine. Of course, users from Domain A have no
> problems.
>
> However, if I try to access the page from a PC located in Domain B or C,
> sometimes the page appears fine, sometimes it partially loads (text,
> graphics) and then a login prompt pops-up. Sometimes, the login prompt
only
> appears. Typing the correct credentials dosen't seem to work. I've tried
> Windows Integrated Authentication and get similar results.
>
> I would really like for authentication to work and be transparent for
users
> of all 3 domains. The 3 Domains are on different networks connected
through
> VPN (a, gasp!, Linux solution using cipe). The VPN does not block any
> traffic between the networks.
>
> Any thoughts?
>
> Thanks!
>
> Jonathan Kelly
> j.kelly@julien.ca
>
>

timcof
Tue Sep 30 00:52:26 CDT 2003

How can you be in native mode, and not mixed mode, with 2 different OS DCs?

And you could test by setting up some simple file shares to see if users from all 3 can hit them, and yes, if you are not restricting any users, then use
anonymous and this won't be an issue. Might run filemon and regmon from www.sysinternals.com to see if you have some permission issues.

Thank you. I hope this information is helpful.

Tim Coffey [MSFT]

This posting is provided ?AS IS? with no warranties, and confers no rights. You assume all risk for your use. © 2001 Microsoft Corporation. All rights reserved.
--------------------
| From: "Jonathan Kelly" <j.kelly@julien.ca>
| Subject: Security for multi-domain setup
| Date: Mon, 22 Sep 2003 17:11:38 -0400
| Lines: 36
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <#UBcf4UgDHA.2332@TK2MSFTNGP12.phx.gbl>
| Newsgroups: microsoft.public.inetserver.iis
| NNTP-Posting-Host: hse-toronto-ppp134296.sympatico.ca 64.228.82.81
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis:276697
| X-Tomcat-NG: microsoft.public.inetserver.iis
|
| Hello,
|
| I've scoured the Web but found no answers to this riddle:
|
| I have a WAN with three domains (say, A, B and C). Domain A and B have
| Windows 2000 Server ADCs and Domain C has a Windows 2003 ADC. Everything's
| in Native Mode. Trust relationships are established between each domain.
|
| Now, I have an IIS 6 server in domain A on (obviously) a Windows 2003
| server. I have an intranet I wish to make available to users in domains B
| and C. The virtual directory for said intranet is configured per KB168908
| (Basic Authentication with the '\' in the Domain box).
|
| If I log-in locally on the IIS server with a user from Domain B or C, I can
| display the pages just fine. Of course, users from Domain A have no
| problems.
|
| However, if I try to access the page from a PC located in Domain B or C,
| sometimes the page appears fine, sometimes it partially loads (text,
| graphics) and then a login prompt pops-up. Sometimes, the login prompt only
| appears. Typing the correct credentials dosen't seem to work. I've tried
| Windows Integrated Authentication and get similar results.
|
| I would really like for authentication to work and be transparent for users
| of all 3 domains. The 3 Domains are on different networks connected through
| VPN (a, gasp!, Linux solution using cipe). The VPN does not block any
| traffic between the networks.
|
| Any thoughts?
|
| Thanks!
|
| Jonathan Kelly
| j.kelly@julien.ca
|
|
|