Securing our Intranet with Digest Authentication (IIS 7.5)

[adamf]

I am just in the process of setting up an intranet running on IIS 7.5. It works perfectly with anon access and digest authentication when outside of our network. Inside our network it doesn't work.

When requested I put in my credentials 'domain\username' and password it just sits there eventurly timing out with a page cannot be found error.

Our AD environment consists of 3 domains and users in all domains are going to need access to it.

The server itself is running Windows W2K8 R2 Web

So far this is what I've tried:

Adding BackConnectionHostNames to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\MSV1_0 (as per Users experience authentication issues when they access a Web page in IIS 6.0 or query Microsoft SQL Server 2000 after you install Windows Server 2003 Service Pack 1). Adding DisableLoopbackCheck to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa

Before adding the DisableLoopbackCheck registry entry is was getting the following in event viewer on the web server until the request times out:

Code:

The domain controller attempted to validate the credentials for an account.
Authentication Package: WDigest
Logon Account: username
Source Workstation: CURDC001
Error Code: 0x0

After adding the registry entry above I am getting the following (until the request times out):

Code:

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		DOMAIN\username
	Account Name:		username
	Account Domain:		DOMAIN
	Logon ID:		0x3b35e11
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	82.198.240.114
	Source Port:		43273

Detailed Authentication Information:
	Logon Process:		WDIGEST
	Authentication Package:	WDigest
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

I have no idea what is going on or why it doesn't want to work. Any ideas?

[nephilim]

everything looks fine, however could it be that the username and PW are case sensitive and you are mis-inputting them?

[adamf]

100% sure the username/password is correct because when not connected to the network it works as expected. I've even tried it with multiple accounts from different domains just in case in didn't like accounts that exist in a different domain to the one the server is a member of.

[nephilim]

then in that case i am stumped!

[ZeroHour]

Should you use integrated auth since they are domain machines?

[adamf]

I have a feeling the reason I went for digest is because integrated auth requires additional ports to be open becuase the authentication happens between the IE client and the DC rather than the server passing the credentials.

Digest doesn't need any additional ports because it's challenge and response over http sent to the IIS server.

[powdarrmonkey]

I have a feeling the reason I went for digest is because integrated auth requires additional ports to be open becuase the authentication happens between the IE client and the DC rather than the server passing the credentials.

Digest doesn't need any additional ports because it's challenge and response over http sent to the IIS server.

Falsehood.

[adamf]

Ok then..... maybe I mis-read this.. This is taken from a post on the IIS.net forums:

However integrated auth is totally different, there is no user account's password sent to the server-side. IE client needs to communicate with DC first to retrieve its Kerberos token or NTLM hash string and then send them to IIS to perform the authentication. In other word, the logon action does happen between the client and DC.

[adamf]

I must have mis-understood becuase with integrate auth it seems to be working inside and out.