IIS Windows Integrated Authentication Question

TheMSsForum.com: The Microsoft Software Forum

I have a Windows 2003 server as a Member Server, not a Domain
Controller. I have integrated authentication checked in IIS. This
seems to work from the clients. However, if the webpage has a
datasource in its asp page, then I get an error that says the user
does not have permission to get to the object that the page is trying
to get to (the web page itself is allowed). Doing the same thing from
a domain cotroller (from the client again) yields the data. The IUSR
account is not being used on any of them; it is all purerly supposed
to run on integrated authentication. Does the fact that my 2003
server is not a domain controller have anything to do with it? It
seems to be. The white papers from Microsoft say that 2003 member
servers can be used for web servers. Thanks.
Top

Re: IIS Windows Integrated Authentication Question by Tom

Tom
Fri Nov 07 09:50:55 CST 2003

"jm" <john_20_28_2000@yahoo.com> wrote in message
news:c67e4bdd.0311070716.5c5cb0c9@posting.google.com...
> I have a Windows 2003 server as a Member Server, not a Domain
> Controller. I have integrated authentication checked in IIS. This
> seems to work from the clients. However, if the webpage has a
> datasource in its asp page, then I get an error that says the user
> does not have permission to get to the object that the page is trying
> to get to (the web page itself is allowed). Doing the same thing from
> a domain cotroller (from the client again) yields the data. The IUSR
> account is not being used on any of them; it is all purerly supposed
> to run on integrated authentication. Does the fact that my 2003
> server is not a domain controller have anything to do with it? It
> seems to be. The white papers from Microsoft say that 2003 member
> servers can be used for web servers. Thanks.

Sounds like a delegation issue. Try it with Basic instead.

http://support.microsoft.com/?id=176377

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserver2003/community/centers/iis/



Top

IIS Windows Integrated Authentication Question by Keith

Keith
Fri Nov 07 09:58:23 CST 2003


>-----Original Message-----
>I have a Windows 2003 server as a Member Server, not a
Domain
>Controller. I have integrated authentication checked in
IIS. This
>seems to work from the clients. However, if the webpage
has a
>datasource in its asp page, then I get an error that says
the user
>does not have permission to get to the object that the
page is trying
>to get to (the web page itself is allowed). Doing the
same thing from
>a domain cotroller (from the client again) yields the
data. The IUSR
>account is not being used on any of them; it is all
purerly supposed
>to run on integrated authentication. Does the fact that
my 2003
>server is not a domain controller have anything to do
with it? It
>seems to be. The white papers from Microsoft say that
2003 member
>servers can be used for web servers. Thanks.
>.
>

Is the Member server in the same Domain, a trusted, or
trusting domain of the Domain controller?
Top

Re: IIS Windows Integrated Authentication Question by john_20_28_2000

john_20_28_2000
Fri Nov 07 12:07:16 CST 2003

"Keith" <anonymous@discussions.microsoft.com> wrote in message news:<0c7501c3a547$f8e19420$a401280a@phx.gbl>...
> >-----Original Message-----
> >I have a Windows 2003 server as a Member Server, not a
> Domain
> >Controller. I have integrated authentication checked in
> IIS. This
> >seems to work from the clients. However, if the webpage
> has a
> >datasource in its asp page, then I get an error that says
> the user
> >does not have permission to get to the object that the
> page is trying
> >to get to (the web page itself is allowed). Doing the
> same thing from
> >a domain cotroller (from the client again) yields the
> data. The IUSR
> >account is not being used on any of them; it is all
> purerly supposed
> >to run on integrated authentication. Does the fact that
> my 2003
> >server is not a domain controller have anything to do
> with it? It
> >seems to be. The white papers from Microsoft say that
> 2003 member
> >servers can be used for web servers. Thanks.
> >.
> >
>
> Is the Member server in the same Domain, a trusted, or
> trusting domain of the Domain controller?

It is a member server in a Windows 2000 mixed domain. The 2003 Server
is not a Domain Controller.
Top

Re: IIS Windows Integrated Authentication Question by john_20_28_2000

john_20_28_2000
Fri Nov 07 12:16:17 CST 2003

"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message news:<bogeqq$8v9@kcweb01.netnews.att.com>...
> "jm" <john_20_28_2000@yahoo.com> wrote in message
> news:c67e4bdd.0311070716.5c5cb0c9@posting.google.com...
> > I have a Windows 2003 server as a Member Server, not a Domain
> > Controller. I have integrated authentication checked in IIS. This
> > seems to work from the clients. However, if the webpage has a
> > datasource in its asp page, then I get an error that says the user
> > does not have permission to get to the object that the page is trying
> > to get to (the web page itself is allowed). Doing the same thing from
> > a domain cotroller (from the client again) yields the data. The IUSR
> > account is not being used on any of them; it is all purerly supposed
> > to run on integrated authentication. Does the fact that my 2003
> > server is not a domain controller have anything to do with it? It
> > seems to be. The white papers from Microsoft say that 2003 member
> > servers can be used for web servers. Thanks.
>
> Sounds like a delegation issue. Try it with Basic instead.
>
> http://support.microsoft.com/?id=176377

It does sound like this issue, but changing to clear text did not
help. I kept Integrated Authentication and Clear Text. The data,
however, resides on another 2000 server and so even if the web server
accepts clear text, then the 2000 server which holds the data will
not. It uses an UNC to a file and that of course entails NTFS
permissions and encrypted passwords. Unless, I can get it to accept
clear text passwords at the NTFS level for that file. I don't know.
Top

Re: IIS Windows Integrated Authentication Question by john_20_28_2000

john_20_28_2000
Fri Nov 07 12:22:14 CST 2003

"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message news:<bogeqq$8v9@kcweb01.netnews.att.com>...
> "jm" <john_20_28_2000@yahoo.com> wrote in message
> news:c67e4bdd.0311070716.5c5cb0c9@posting.google.com...
> > I have a Windows 2003 server as a Member Server, not a Domain
> > Controller. I have integrated authentication checked in IIS. This
> > seems to work from the clients. However, if the webpage has a
> > datasource in its asp page, then I get an error that says the user
> > does not have permission to get to the object that the page is trying
> > to get to (the web page itself is allowed). Doing the same thing from
> > a domain cotroller (from the client again) yields the data. The IUSR
> > account is not being used on any of them; it is all purerly supposed
> > to run on integrated authentication. Does the fact that my 2003
> > server is not a domain controller have anything to do with it? It
> > seems to be. The white papers from Microsoft say that 2003 member
> > servers can be used for web servers. Thanks.
>
> Sounds like a delegation issue. Try it with Basic instead.
>
> http://support.microsoft.com/?id=176377

I also wonder if Windows 2003 is at a higher level of authentication
than Windows 2000 and therefore Windows 2000 rejects it. I don't know
if that is a factor or if they are they same.
Top

Re: IIS Windows Integrated Authentication Question by Keith

Keith
Fri Nov 07 16:45:27 CST 2003


>-----Original Message-----
>"Keith" <anonymous@discussions.microsoft.com> wrote in
message news:<0c7501c3a547$f8e19420$a401280a@phx.gbl>...
>> >-----Original Message-----
>> >I have a Windows 2003 server as a Member Server, not a
>> Domain
>> >Controller. I have integrated authentication checked
in
>> IIS. This
>> >seems to work from the clients. However, if the
webpage
>> has a
>> >datasource in its asp page, then I get an error that
says
>> the user
>> >does not have permission to get to the object that the
>> page is trying
>> >to get to (the web page itself is allowed). Doing the
>> same thing from
>> >a domain cotroller (from the client again) yields the
>> data. The IUSR
>> >account is not being used on any of them; it is all
>> purerly supposed
>> >to run on integrated authentication. Does the fact
that
>> my 2003
>> >server is not a domain controller have anything to do
>> with it? It
>> >seems to be. The white papers from Microsoft say that
>> 2003 member
>> >servers can be used for web servers. Thanks.
>> >.
>> >
>>
>> Is the Member server in the same Domain, a trusted, or
>> trusting domain of the Domain controller?
>
>It is a member server in a Windows 2000 mixed domain.
The 2003 Server
>is not a Domain Controller.
>.
>

Integrated Authentication (at least in Win2K) only works
when all the servers involved and the client are
authenticated (or trusted) by the same Domain. If your
client login, web server computer account, or data source
server computer account is in another Domain (and not
Trusting) then Integrated Authentication prompts for
Username and password.

http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/comsrv2k/htm/cs_gs_security_xmky.asp

Just a thought, don't know if it helps.
Top