Re: Can't access Active Directory from IIS6/2003 member server
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 08/10/04
- Next message: Tom Pepper Willett: "Re: Problems with IIS 5 & PWS"
- Previous message: David Wang [Msft]: "Re: Adodb.Stream problems on IIS6"
- In reply to: SerialHobbyist: "Re: Can't access Active Directory from IIS6/2003 member server"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 10 Aug 2004 14:48:07 -0700
No, Kerberos should be enabled by default for IIS6 joined to a domain.
Default value for W3SVC/NTAuthenticationProviders is "not set", which means
the defaul value of "Negotiate,NTLM" is used.
The configuration values means that for non-domain machines, Negotiate falls
back to NTLM, while for domain machines, Kerberos is first tried, and then
NTLM.
If you are in a domain and Kerberos is not used, then you probably had
something else change your IIS6 configuration.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "SerialHobbyist" <nospam@nospam> wrote in message news:42a78$4118758b$5397c884$12940@nf2.news-service-com... Solved it! It was related to authentication. I've documented my solution here: http://www.garratt.e7even.com/garratt/html/using_server_2003_and_iis6_to_.html and I'll keep that page up to date with developments in case its of use to anyone else. In short, it was a Kerberos issue. Apparently, Kerberos is not enabled by default on IIS I used this command to enable it: cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate" then I reset IIS and all was well. Regards SH David Wang [Msft] wrote: > What user identity (and with what authentication protocol) are you using to > access the ASP page? > > The issue sounds like one of permissions, unrelated to IIS. For example, > when you ran the VBScript on the member server, you do it as your own logged > in identity, which likely have permissions to the AD. However, when you run > it in the ASP page, it is done via some other identity, logged on with a > different login. > > > Turn off Anonymous, turn on Basic authentication, and see if it works -- > Basic login is close to your usual user login via the console, but its login > type is not "Interactive"... so if the API you call requires "interactive", > it'll never work from an identity obtained through IIS. This was a security > decision made in IIS6 and Windows Server 2003 that is not configurable. >
- Next message: Tom Pepper Willett: "Re: Problems with IIS 5 & PWS"
- Previous message: David Wang [Msft]: "Re: Adodb.Stream problems on IIS6"
- In reply to: SerialHobbyist: "Re: Can't access Active Directory from IIS6/2003 member server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
