|
Posted by Roger Abell [MVP] on September 3, 2005, 5:55 am
Please log in for more thread options Yes, the default is set in IIS mgr. To force use of clear text just
leave it as the one enabled login method. With clear text the IIS
server gets to be privy to the name and pwd, and so can alter.
--
Roger
> Thanks Roger for the insight.
>
> Currently the site will use clear text as it is running entirely through
> SSL...and some of the user base may not be using IE. So I will do as you
> suggest and set the default login domain in clear text mode. (I assume
> that is done with IIS Manager...)
>
> It didn't occur to me that the server has to distinguish between the
> machine and domain accounts...
>
> Thanks,
> Gery
>
>
> --
> Gery D. Dorazio
> Development Engineer
>
> EnQue Corporation
> 1334 Queens Road
> Charlotte, NC 28207
> (704) 377-3327
>> Gary,
>>
>> If by "external web domain" you are meaning the DNS name for the
>> site as known by the browsing public, then this has no impact on the
>> need for specifying a login domain.
>>
>> They need to say domain\user because the IIS is on a member and
>> you are having them use domain accounts instead of machine local
>> accounts of the IIS box (and the login process needs a way to
>> distinguish). If you drop the Windows integrated and go to clear
>> text authentication then you can still use domain accounts and you
>> can specify a default login domain. Of course the clear text nature
>> of this is definitely not desirable. In standard as-it-ships IIS you
>> cannot specify a default domain for Windows integrated authentication
>> (since that is a challenge response discussion where IIS is not an
>> intimate intermediary able to "adjust" what is being exchanged).
>> I believe that you might actually want to look at the digest
>> authentication
>> capability of IIS 6 or of the older MSCS membership services.
>> Roger
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>>
>>> When users access a secured web site I manage the normal Windows login
>>> dialog appears requiring the username and password. The username text
>>> box requires the domain\username to be entered. Windows Integrated
>>> Authentication is being used as the authentication method.
>>>
>>> The web site hardware for this system is a web server box, a DNS box
>>> with Active Directory, and a database box. (This is a SharePoint
>>> installation.) The internal domain for the three servers is different
>>> than the web site domain defined for the internet. Correct me if I am
>>> wrong but I think this is why the username text box requires the
>>> domain\username and not just the username. Is this correct thinking?
>>>
>>> If my thinking is correct so far (or if it's not and you can correct me)
>>> then my fundamental question is how can I configure this setup to not
>>> require the domain part of the login? I do not want to change the
>>> internal domain of the three servers. Is there an alias capability where
>>> the internal domain can be aliased to match the external web domain
>>> being requested?
>>>
>>> Thanks for any suggestions.
>>>
>>> Gery
>>>
>>>
>>> --
>>> Gery D. Dorazio
>>> Development Engineer
>>>
>>> EnQue Corporation
>>> 1334 Queens Road
>>> Charlotte, NC 28207
>>> (704) 377-3327
>>>
>>
>>
>
>
| 
XML Sitemap