Authenticate IIS against AD transparently

[FN-GM]

HI

I have an internal intranet site and I would like to restrict to who can view it. I have setup IIS and the site is up and running. I would like to setup security so when a user access the site it authenticates them transparently if they are logged onto the domain.

What security settings do i need to set in IIS to achieve this please?

Thanks

z

[Pashers]

Hi FN-Greatermanchester,

Have you thought about using ASP.NET? Within the web.config put in <authentication mode="Windows"/>
<identity impersonate="true"/>

Then as venkatzeus (asp.net web application authentication - ASP.NET Forums) said
Please try this:

1. In the Browser (IE), go to "Tools->Options...-> security tab", add the
website address to "Trusted Sites",

or


2. Select "Local Intranet" and click "Custom Level...", scroll down to "User
Authentication->User Logon", select "Automatically logon with current user
name and password".

Also please try enabling the Anonymous access.

Click Start->Run->inetmgr->check Properties of "Web Sites"->switch to Directory Security->edit Authentication and Access control->Check "Enable Anonymous Access"

Hope this helps!

[powdarrmonkey]

In the properties for the site, under 'Directory Security' then 'Authentication and Access Control' switch off anonymous mode and ensure that Integrated Windows Authentication is on.

IIRC you can leave anonymous on, and IWA will take precedence, but don't quote me on it.

[powdarrmonkey]

Oh one caveat I have found: if the address you are using has a dot in it (like intranet.mydomain.local) IE will not transmit authentication data, and the user will be prompted to log in in the normal way.

[FN-GM]

Hi guys

if i add it to the list of intranet site it does just what i want it to. Is there a way to add it in group policy please?

Thanks

[powdarrmonkey]

Yes, have a look here

Stewed Prunes... : Populating Internet Explorer Zones using Group Policy...

[FN-GM]

Just the job

thanks

[rasssp]

I'm having a similar issue. We have 1 network and 2 Intranet sites (staff and student).

My predecessor set them both up with the IIS default anonymous user authentication, which has worked great till now.

The students have found the ip of the staff Intranet and can now browse it.

I need to set the staff Intranet so only staff accounts can access it.

How on earth do I do it?

Both sites are home made and not a cms or vle package.

[FN-GM]

Setup IIS to use Ad authetntication, then on the website itself set the permissions so only staff can read. Then add the address to the local intranet. Can be dome ,works a treat.

If your stuck give us a shout.

Z

[rasssp]

I tried that first, I gave the staff group read rights to c:\inetpub\intranet

then unticked the anonymous user in authentication methods and selected Integrated Windows Authentication.

but now when you browse to the site as a staff member it brings up a login box to connect to the site.

Any ideas?

[FN-GM]

at right, well have you added the site to the local intranet in IE settings?

Also when you set the permissions wipe all existing ones then add the groups you want to view and change. There is a group (cant remember the name) that when it is added it lets people in it shouldn't

[rasssp]

Thats it!, I didn't add it to the policy, done that and it works a treat.

Cheers

[FN-GM]

Thats it!, I didn't add it to the policy, done that and it works a treat.

Cheers

Easy mistake to make, i take it you did it in group policy?

can i have a thanks please

Z

[rasssp]

yea, its set in the group policy for staff and admin staff.

all the students get now is the login box

[FN-GM]

Yep thats how it should go.

Z