Help Required: Digest Authentication and Trusted environment RRS feed

  • Question

  • User-2113392361 posted
    Scenario: There are 2 servers. server1.domain1.microsoft.com and server2.domain2.microsoft.com. There are 2 users. domain1\user1 and domain2\user2 I need to provide Digest Authentication at both the servers. Both the servers are Windows 2003 Server. Users have a valid Windows user account stored in Active Directory® on the domain controller. Problem: In server1.domain1.microsoft.com, only user1 is getting authenticated while in server2.domain2.microsoft.com, only user2 is getting authenticated. I am checking this by trying to access an html file in a virtual directory at both the servers. What should I do so that user2 also gets authenticated in server1.domain1.microsoft.com and similarly user1 also gets authenticated in server2.domain2.microsoft.com? What settings need to be enabled so that the above is possible? Also server1.domain1.microsoft.com allows both user1 and user2 to be added in its local group. But server2.domain2.microsoft.com allows only user2 to be added in its local group My Knowledge: The requirements as identified by Digest Authentication are: The user and the server running IIS must be members of, or be trusted by, the same domain. An authenticating domain controller and the server that is running IIS must exist in a trusted environment. How should I create this trusting relationship between 2 domains? Regards, Anshuk Jain
    Sunday, June 20, 2004 1:47 PM

All replies

  • User989702501 posted
    Ask AD group to setup a trust, and no need to use digest auth if not needed. Read the replies at iisfaq and newsgroups as well.
    Monday, June 21, 2004 5:40 AM
  • User1365816255 posted
    Hey~ Also, what type of digest are you using? There are two flavors of Digest in 2K3 - Digest and Advanced Digest. They are both present, but are dictated by the UseDigestSSP metabase property. On new installs, this is not present as IIS is setup to use Advanced Digest because it is part os Windows security and doesn't use IIS SubAuth. If this is an upgrade, then you have to ensure that IISSuba.dll is registered, the application pool is running as local system, and that users have the AD property set to store password in reversible encryption. Beyond that, I agree with Bernard that you should only use Digest if there is a particular reason. It is much more difficult to setup than using Basic with SSL. Use Certificate Services to create your own self-signed certs and you are in business... HTH, ~Chris (MSFT) Web Platform Supportability Lead
    Tuesday, June 22, 2004 9:57 PM