Re: Anonymous Site with NTLM Optional

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Usually public websites will be hosted in a DMZ, and development sites in an internal secured network. The DMZ domain and the internal domains are thus usually separate (and without any trusts - allowing the DMZ and the internal domains to communicate would require opening specific ports thru the firewall that would make the concept of using a firewall futile).

If this is your scenario, when testing using development the workstations with the browser clients and the webserver will likely be in the same domain, and thus there are no issues with NTLM. The server in the DMZ is in another domain however, and thus NTLM from your internal workstations will not work. The same applies when browsing the public webserver from the web. "Internet" users will not be on the same domain as the public webserver, and thus NTLM can't be used.

Switching to "Basic" authentication should help with the cross-domain issue, but I'm not sure if the http_auth_user is carried over to the anonymous side...


If that is not your scenario (DMZ, separate domain, etc) then I apologize for incorrect info (even though I'd still recommend not having a public website have any Active Directory-related connections to your internal domain).

--
Roberto Franceschetti
LogSat Software
http://www.logsat.com


Marc J. Cawood wrote:
We have site on IIS6 Windows Server 2003 that must be public yet we
would like NTLM to be an optional authentication method for special
users. We have 2 virtual directories
/kb (anonymous AND NTLM)
/kbauth (NTLM only)

All users come to /kb and that is the main application path. When they
click a special link they get taken to /kbauth and NTLM kicks in so
that they are authenticated against the domain. It then redirects them
back to /kb. This is our strategy for implementing optional login via
NTLM.

The problem is in our DEV environment this works and HTTP_AUTH_USER is
retained when going back to /kb. In PROD (identical server)
HTTP_AUTH_USER is lost.

In DEV the browser (IE8) seems to send credentials to /kb (at least
once) but in PROD not.

Surely this must work - otherwise what is the point in IIS of allowing
Anonymous AND NTLM if NTLM is never triggered?

Thanks in advance
.

Relevant Pages

  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... NAT, and the DMZ, since it's already secured, is a good place to tack ... If the "company" is not offering services to the Internet, ... and connections to the internal LAN should ... be by means of a second interface on the server. ...
    (comp.security.firewalls)
  • Re: Where to place the DMZ zone?
    ... hypothetically lets say you have no DMZ hosting an email bridgehead ... If a hacker were to compromise one of your email or web servers (they are ... That is, the Internet accessible servers ... that can be compromised are on your internal network, ...
    (microsoft.public.isa)
  • Re: Prividing Intranet Website Access To External Users
    ... I really wouldnt like to be having my company intranet on the ... I would probably integrate the ldap/dc as a security server on the ... >> The web server will be in the DMZ, and only port 443 will be ... >> intranets to the internet in a secure manner. ...
    (Security-Basics)
  • Re: Forest Trust between Production & DMZ
    ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ...
    (microsoft.public.windows.server.security)
  • Re: AD in the DMZ - Any thoughts on this scenario?
    ... forest in a DMZ, not one that spans the DMZ and internal network. ... > in our internet facing DMZ. ...
    (microsoft.public.win2000.active_directory)