+ Post New Thread
Results 1 to 9 of 9
Windows Server 2008 R2 Thread, Securing our Intranet with Digest Authentication (IIS 7.5) in Technical; I am just in the process of setting up an intranet running on IIS 7.5. It works perfectly with anon ...
  1. #1

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    500
    Thank Post
    18
    Thanked 31 Times in 30 Posts
    Rep Power
    21

    Securing our Intranet with Digest Authentication (IIS 7.5)

    I am just in the process of setting up an intranet running on IIS 7.5. It works perfectly with anon access and digest authentication when outside of our network. Inside our network it doesn't work.

    When requested I put in my credentials 'domain\username' and password it just sits there eventurly timing out with a page cannot be found error.

    Our AD environment consists of 3 domains and users in all domains are going to need access to it.

    The server itself is running Windows W2K8 R2 Web

    So far this is what I've tried:

    Adding BackConnectionHostNames to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\MSV1_0 (as per Users experience authentication issues when they access a Web page in IIS 6.0 or query Microsoft SQL Server 2000 after you install Windows Server 2003 Service Pack 1). Adding DisableLoopbackCheck to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa

    Before adding the DisableLoopbackCheck registry entry is was getting the following in event viewer on the web server until the request times out:

    Code:
    The domain controller attempted to validate the credentials for an account.
    Authentication Package: WDigest
    Logon Account: username
    Source Workstation: CURDC001
    Error Code: 0x0
    After adding the registry entry above I am getting the following (until the request times out):

    Code:
    An account was successfully logged on.
    
    Subject:
    	Security ID:		NULL SID
    	Account Name:		-
    	Account Domain:		-
    	Logon ID:		0x0
    
    Logon Type:			3
    
    New Logon:
    	Security ID:		DOMAIN\username
    	Account Name:		username
    	Account Domain:		DOMAIN
    	Logon ID:		0x3b35e11
    	Logon GUID:		{00000000-0000-0000-0000-000000000000}
    
    Process Information:
    	Process ID:		0x0
    	Process Name:		-
    
    Network Information:
    	Workstation Name:	-
    	Source Network Address:	82.198.240.114
    	Source Port:		43273
    
    Detailed Authentication Information:
    	Logon Process:		WDIGEST
    	Authentication Package:	WDigest
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    I have no idea what is going on or why it doesn't want to work. Any ideas?

  2. #2

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,935
    Thank Post
    1,628
    Thanked 1,898 Times in 1,410 Posts
    Blog Entries
    2
    Rep Power
    429
    everything looks fine, however could it be that the username and PW are case sensitive and you are mis-inputting them?

  3. #3

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    500
    Thank Post
    18
    Thanked 31 Times in 30 Posts
    Rep Power
    21
    100% sure the username/password is correct because when not connected to the network it works as expected. I've even tried it with multiple accounts from different domains just in case in didn't like accounts that exist in a different domain to the one the server is a member of.

  4. #4

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,935
    Thank Post
    1,628
    Thanked 1,898 Times in 1,410 Posts
    Blog Entries
    2
    Rep Power
    429
    then in that case i am stumped!

  5. #5

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,706
    Thank Post
    906
    Thanked 1,321 Times in 803 Posts
    Blog Entries
    1
    Rep Power
    445
    Should you use integrated auth since they are domain machines?

  6. Thanks to ZeroHour from:

    adamf (14th June 2010)

  7. #6

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    500
    Thank Post
    18
    Thanked 31 Times in 30 Posts
    Rep Power
    21
    I have a feeling the reason I went for digest is because integrated auth requires additional ports to be open becuase the authentication happens between the IE client and the DC rather than the server passing the credentials.

    Digest doesn't need any additional ports because it's challenge and response over http sent to the IIS server.

  8. #7

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by adamf View Post
    I have a feeling the reason I went for digest is because integrated auth requires additional ports to be open becuase the authentication happens between the IE client and the DC rather than the server passing the credentials.

    Digest doesn't need any additional ports because it's challenge and response over http sent to the IIS server.
    Falsehood.

  9. #8

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    500
    Thank Post
    18
    Thanked 31 Times in 30 Posts
    Rep Power
    21
    Ok then..... maybe I mis-read this.. This is taken from a post on the IIS.net forums:

    However integrated auth is totally different, there is no user account's password sent to the server-side. IE client needs to communicate with DC first to retrieve its Kerberos token or NTLM hash string and then send them to IIS to perform the authentication. In other word, the logon action does happen between the client and DC.

  10. #9

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    500
    Thank Post
    18
    Thanked 31 Times in 30 Posts
    Rep Power
    21
    I must have mis-understood becuase with integrate auth it seems to be working inside and out.

SHARE:
+ Post New Thread

Similar Threads

  1. Software for creating blogs on intranet server (IIS)
    By ssiruuk2 in forum How do you do....it?
    Replies: 9
    Last Post: 3rd July 2008, 07:36 PM
  2. IIS Problems with authentication
    By gibbo_ap in forum Web Development
    Replies: 0
    Last Post: 7th May 2008, 11:25 AM
  3. Replies: 2
    Last Post: 21st November 2007, 03:19 PM
  4. iis nt authentication
    By jamieallonby in forum Web Development
    Replies: 1
    Last Post: 27th April 2006, 08:07 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •