This is a reminder to myself.
I work in an NT environment with multiple domains (e.g. domainA, domainB, and domainC) where one domain ("domainC") trusts the other two domains.
I keep my IIS7 website in domainC and want users in any of the domains to be able to access it using their domain's credentials.
I make sure to disable anonymous access on my website and enable integrated windows authentication so that users will come into the website using their current credentials.
The roadblock I experience each time is that I'll set up the website and test it using an account in domainC and all will be well. During final testing I go over to domainB or domainA, log in, and try to get into the website and run into a "401" error.
I always do this: I'll go back to the website and try and reset permissions to the website's directory to allow "domainA\Everyone" and "domainB\Everyone" to have access, but for some reason I won't be able to. I'll remark again that this works in my personal devlab but not in the client's environment. I'll remember hearing that there's some sort of firewall blockage on LDAP calls between domains in this environment.
I'll try to create a domain local group in domainC and add the domainA\Everyone and domainB\Everyone groups into a local group I can give website rights to, but that won't work either.
I'll get frustrated here and start Googling and 4-5 hours will disappear as I learn how little I really know about security (and pursue several blind-alley solutions proposed by some other clueless bloggers).
I'll then spend another hour dicking around with every setting conceivable on my website, and then create a small sample "WhoAmI" website that just returns the current user's credentials. Setting security on this test website, I'll turn off anonymous access, turn on nt authentication, and then give the local group WEBSERVERNAME\Users all rights to the website and discover that I can now access it from all the trusted domains.
The lesson here is to start by giving the WEBSERVERNAME\Users local group basic rights to the website just to get started.
This has cost me several hours to recreate twice -- Note to self: don't do this again.
Saturday, October 13, 2012
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment