tags:

views:

1111

answers:

3
+3  Q: 

IIS Anonymous user authentication doesn't work with AD credentials

I have an asp.net application directory, and I want to use anonymous authentication in the Directory Sercurity tab.

If I use the pre-Windows 2000 style DOMAIN\USERNAME for the username, everything is fine.

If I use the AD-style (UPN) [email protected], then I get a 401.1 failed login.

I've tried a number of variations, but can't get it to work. If I select the user from the Browse box, the AD name comes up in the box, but the pre-Windows 2000 name is filled-in. Likewise for SQL Server 2005.

It seems that the UPN isn't 'real', is this right? Given that it's not required and doesn't have to be unique; it seems very odd.

Am I correct, in that this is not supported? Would IIS 7 make any difference?

I wish to do this, because the limit of 20 characters for the pre-Windows 2000 username is insufficient for the role-based security I wish to apply for different webservices (the application directories) coming off this website.

A: 

Update 1: I have tried it on Windows 2003 sp 2. In the login "directory security" I have checked the enable anonymous access check box ( and only this box ) and put [email protected] and the ausername password. The site is plain asp.net without sql backend.

Are you able to login to the server with the [email protected] ? Can you test this on different domain? It may be some wired dns resolution problem.

Update 0:

I tested it on iis 6 and the [email protected] combination works fine on my machine.

About the "realnes" of the names. No name is "real" the actual account is just a GUID. The names are just for convenience.

Igal Serban  2008-12-08 22:38:46
Where have you tried it? I've tried it on several machines in different contexts. I can use it to run programs, but it will not create a login in SQL Server, or run a website. SQL Server specifically says it's the wrong format.
 2008-12-11 15:53:23
A: 

Are you sure it's domain.local and not domain.com. If the domain\username is working, then [email protected] should work.

jwmiller5  2008-12-09 14:01:23
It is domain.local. It's an internal AD domain.
 2008-12-11 15:52:11
+1  A: 

UPN suffixes should work, althouh there is a bug which occurs when there is a service pack difference between the IIS box and the domain controller. There is a patch for it. This link discusses the issue in detail.

Nick Kavadias  2008-12-23 05:07:27

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication