IIS 6 <domain>\<user> vs <user>@<domain>

IIS 6 <domain>\<user> vs <user>@<domain>

Post by Tmlja3kgTG » Sat, 27 Sep 2008 18:30:06


when migrating an web application to a new hosting company. we have run into
problems with the user authentication against AD. all users are in the ad and
some users can logon with <domain>\<user> others on the other hand get access
denied. The users that do get an access denied can logon to the system using
<user>@<domain>. We are using integrated windows authentication to
authenticate the users. this is an extranet application and all the users are
loging on through the internet.

at the old server and hosting location everybody can log in with
<domain>\<user>

Does anybody have any ideas. Basic authentication is out of the question!
eventhough this works.
 
 
 

IIS 6 <domain>\<user> vs <user>@<domain>

Post by Ken Schaef » Sun, 28 Sep 2008 15:34:02

A couple of things:

In AD verify what the uses sAMAccountName property is. This is what's needed
for Domain\User syntax. user@domain depends on what the UPN property is set
to. Neither is strictly related to the user's name. I realise that this
maybe barking up the wrong tree, but we need to figure out why it's
breaking.

Next thing - NTLM doesn't work through a lot of forward proxies. If you use
SSL - then the proxy shouldn't try to reproxy the data. Does everything
start working if you use HTTPS instead of HTTP?

Lastly, can you post the offending IIS log file entries. IN particular, we
need to see the HTTP status. substatus and Win32 values. Additionally,
enable "Logon failure auditing" on the server, and look in the server's
security event log for an event that details why the user's logon failed.

Cheers
Ken

 
 
 

IIS 6 <domain>\<user> vs <user>@<domain>

Post by Tmlja3kgTG » Thu, 02 Oct 2008 16:20:00

Hi Ken,

Thanks for your reply, I verified that the sAMAccountName was correct
nothing wrong there.

I did not try anything else as the next day everything was working and i did
not touch anything. so either our Server Hosting company changed something or
this was a propagation issue.

Again thanks for you help Ken

KR
Nicky