Home / server / Questions / 346742
In Process
colemik
Asked: 2012-01-05 15:01:05 +0800 CST

IIS and Integrated Windows Authentication - login doesn't work for domain.com, works for IP address, localhost, 127.0.0.1

  • 772

I've installed Windows Server 2003 R2 and IIS role (no Active Directory role). I've setup a virtual directory named 'test' and under Security tab of the 'test' Virtual Directory I've disabled the Anonymous login and enabled Integrated Windows Authentication. The server is on the local network. What I do is I access the test/ directory on the server using the browser. Here is the log:

**IE on Server**
localhost   - works
127.0.0.1   - works, asks for password, 8 second delay
domain.com  - fails, asks for password, after 3 seconds asks for 
             a password again, the username field changes to: domain.com\username
172.28.28.100   - works, asks for password, 8 second delay

.

**Firefox on Server**
same as above
    domain.com          - the 'Remember the password' tooltip displays for
                          a fraction of a second and then the browser asks
                          for the password again

.

**IE on other LAN host**
    172.28.28.100   - works, asks for password, 8 sec delay
    domain.com  - works, asks for password, 8 sec delay
**Firefox on other LAN host**
                    - same as above, no delay

I'm obviously doing something wrong, but I don't know what is it. I've read about SPNs, but when I use setspn -L localhost, there are no SPNs displayed (I guess it's because the server is not a DC). Why can't I login on the server using Windows Integrated Authentication on domain.com?

windows-server-2003 iis domain spn

2 Answers

  1. Completely misread the question, so here's try 2.

    Assuming:

    • the server is an AD 2000+ domain member
    • the client is a domain member

    When you type "domain.com", IE's going to build a Service Principal Name of http/domain.com and ask a DC to give it a ticket for that.

    If domain.com is something real, i.e. your AD domain name, that's not going to fly. At least, I assume not.

    Try this for guidance on SPNs. Take the first piece of advice too, and use the 2008 version of SetSPN to do the SPN stuff.

    In short, you take the App Pool account (if it's IIS 6, it's Network Service by default, so the computer account 'webserver$') and register an SPN against it:

    SETSPN -S http/example.com DOMAIN\WebServer$

    In theory, at this point, it all works.

    I assume FireFox doesn't do Kerb auth against the server, and that IE takes longer to fail because it's trying to.

    • 1

  2. Several issues to address with this question:

    • You cannot authenticate with domain.com\username or
      domain\username if there is not an Active Directory or NT domain
      called domain.com to authenticate to.

    • You may have to specifically force the use of a local account by using *IIS Computer Name*\username as your logon ID to successfully authenticate against a local account on the IIS server.

    • You probably will want to set your site NTAuthenticationProviders to disable the Negotiate authentication process and force IIS to use NTLM:
      cscript adsutil.vbs set w3svc/__YourWebSite__/root/NTAuthenticationProviders "NTLM"

    • Your simplest, fastest method is going to be using "Basic Auth", but there are security issues with that if you aren't protecting your logon traffic with SSL.

    • 0