David
Fri Sep 28 06:01:58 PDT 2007
You should enable Windows Authentication and set NTFS ACLS on the
resources served by IIS to grant access to "some" b.main.org users.
Are you unable to ACL resources to grant access to some b.main.org
users, or are you using some other custom authentication scheme unable
to authenticate against b.main.org users?
This is not an IIS question because there is no such thing as "make
IIS authentication to also grant access to some b.main.org users". IIS
has no such authentication nor authorization control. Active Directory/
SAM provides Authentication, and NTFS provides Authorization control.
You have to configure those things properly to give the illusion of
"accessing through IIS".
All IIS does is logon a user against either Active Directory/SAM and
then AccessCheck() that token against NTFS ACLs.
Where is IIS granting access to some b.main.org user? Absolutely
nowhere. YOU grant NTFS ACLs to b.main.org users on the resources, and
YOU configure IIS to require user authentication, and the rest take
care of themselves.
Now, I'm thinking of your curious wording about "set to domain
a.main.org in the default domain settings". The only authentication
protocol protocol which allows setting "domain" is Basic
authentication, and if you are using that, then you are causing your
own problems by setting a.main.org as the default domain and making
all users, including those from b.main.org. You fix this by not using
basic authentication. No, there's no way selectively disable defaults
to grant access because that's a catch-22. How do you figure out a
user is from b.main.org when you force IIS to authenticate against
a.main.org? There's no security protocol that works like "if I fail to
authenticate user against default domain then try this other domain".
The easiest solution is to use Windows Authentication. With trust
established, users will automatically login to IIS as their own domain
account, and everything just works.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Sep 27, 3:33 pm, "msnews.microsoft.com" <erom...@cgnet.com> wrote:
> a.main.org and b.main.org trust are already in place. because both domains
> belong to the same AD forest main.org
> I still think this is an IIS question because the IIS authentication has
> been set to domain a.main.org in the default domain settings. so how can I
> make IIS authentication to also grant access to "some" b.main.org users?
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:1190683100.163477.292450@g4g2000hsf.googlegroups.com...
>
>
>
> > Really, your question has nothing to do with IIS. You may find better
> > support for your question elsewhere, like Active Directory.
>
> > IIS6 in a domain will use AD and NTFS ACLs to provide granular access
> > control. All you need to do is establish the correct trust between
> > those AD sites and ACL files correctly, and IIS will work.
>
> > How do you plan to establish AD trust between these sites to allow
> > access by some of a.main.org and b.main.org ?
>
> > For example, you can establish one-way trust (or two-way trust --
> > depends on your AD-needs -- has nothing to do with IIS) between
> > a.main.org and x.main.org, at which point you can ACL resources on
> > x.main.org for a.main.org, and IIS will simply reuse your trust
> > configuration and work.
>
> > //David
> >
http://w3-4u.blogspot.com
> >
http://blogs.msdn.com/David.Wang
> > //
>
> > On Sep 24, 2:25 am, "eric romero" <e.rom...@cgnet.com> wrote:
> >> Hi,
>
> >> I do not use or plan to use iSA.
>
> >> Please do you have anyway that IIS6.0 could be granular and grant access
> >> to
> >> all x.main.org
> >> users and at the same time grant access to "some" of the a.main.org and
> >> b.main.org users?
>
> >> thx
> >> eric"Steve Schofield" <st...@iislogs.com> wrote in message
>
> >>news:eYYSx0h$HHA.1164@TK2MSFTNGP02.phx.gbl...
>
> >> > This is not really an IIS question as something like ISA Server. If
> >> > you
> >> > have ISA in-front of your IIS boxes, you can control by group.
>
> >> > --
>
> >> > Best regards,
>
> >> > Steve Schofield
> >> > Windows Server MVP - IIS
> >> >
http://weblogs.asp.net/steveschofield
>
> >> > <e.rom...@cgnet.com> wrote in message
> >> >news:e2HmaFf$HHA.4828@TK2MSFTNGP04.phx.gbl...
> >> >> Hi,
>
> >> >> I use IIS6 to publish our intranet , such IIS website is in a
> >> >> x.main.org
> >> >> AD childomain; there are no issues for x.main.org users to access such
> >> >> website.
>
> >> >> The AD domain is a multi-site AD windows2003 domain where there are
> >> >> a.b.c.d.e..main.org domains.
>
> >> >> What do I need to set to keep providing intranet access to all
> >> >> x.main.org
> >> >> users and at the same time grant access to "some" of the a.main.org
> >> >> and
> >> >> b.main.org users?
>
> >> >> thx
> >> >> Eric- Hide quoted text -
>
> >> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -