do not allow integrated windows authentication *for one of the domains*
Question
We have an ASP.NET web application which uses integrated windows authentication. It is accessed by users from two domains, A and B. A is the primary domain and B is an older domain which is going away. Web application is authenticating users using a group policy which only exists in domain A. Every user in domain B has an account in domain A. The application lives in domain A. There was no trust between the domains. So users from domain A would get silently authenticated and logged into the site. Users from domain B didn't get authenticated automatically and were prompted with the IE popup, to which they authenticated using their domain A credentials and everything worked. Now somebody has set up a trust between the domains and users from domain B get authenticated silently to IIS, and then their login fails (no group policy). So the question is: can I either programmatically or in IIS configuration make it so that users from domain B still get prompted even though there is trust between the domains? Is there a way to tell the server where IIS is running to ignore the trust relationship maybe?
2 answers
solution1
2 2012-11-20 06:58:31
have you tried changing the local security policy ?
'deny access to this computer from the network' to include domain.b\\domain users (dont forget to select groups in search criteria)
solution2
1 2010-05-13 02:38:39
Can you turn off "Enable intergrated authentication" for users in domain B using a group policy setting? Can all IE browsers in domain B be changed so that the server in Domain A is not part of the intranet zone?
=Updated=
I was hoping you would say yes to the my first question. Since this will be for a short time, it shouldn't be an issue right ;-)
The second one is tricky.
Under tools - options - security, you have to experiment with either adding this site to
a) restricted sites (although this would limit what the user can do in the wesite)
b) trusted sites (but under "custom level", change logon to "prompt for user name and password" instead of "automatic logon only in intranet zone"
== Update 2 ===
I am not sure if this will work. Ignoring above, can the users be forced to change their password so that it is the same in both domains? Since you have the trust established, this should automatically logon.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.