VPN & Windows authentication

[SpaceMarine]

hello,

i am working on some intranet apps for my organization. many of our
users are internal on domain desktops. however, some will be working
in the cloud but VPN'ing into our network, where they can access
internal web apps like mine. the VPN login info typed in by users
matches their AD login.

i have never coded for this before. how can authentication work in
this setup? can my web app still use Windows authentication & pick up
those VPN users, or must it use a forms-based (AD) membership
provider?


thanks!
sm

 

[Joe Kaplan]

You can enable Basic authentication and the users can still log in with
their plaintext credentials. For VPN users, you can probably also enable
integrated authentication and they should still be able to authenticate via
NTLM although they will likely need to provide credentials if their client
is not domain-joined and logged in as their domain identity.

Joe K.

 

[SpaceMarine]

You can enable Basic authentication and the users can still log in with
their plaintext credentials.  For VPN users, you can probably also enable
integrated authentication and they should still be able to authenticate via
NTLM although they will likely need to provide credentials if their client
is not domain-joined and logged in as their domain identity.

so are you saying that one uses forms-based authentication in this
scenario (remote users on a VPN client connection to become part of
the org's network)? we are using Cisco VPN if it makes a difference.


sm

 

[SpaceMarine]

i have never coded for this before. how can authentication work in
this setup? can my web app still use Windows authentication & pick up
those VPN users, or must it use a forms-based (AD) membership
provider?

ok, after messing around some more i have it. using VPN is no problem
at all, and my web apps can continue to use Windows authentication
from the web.config. the server OS simply asks the browser to popup
the login box (dunno what you call that box...NTML? SAMS? not sure).
after the user enters his credentials, the app sees him as his Windows
user.

cool!


thanks,
sm

 

[SpaceMarine]

ok, after messing around some more i have it. using VPN is no problem
at all, and my web apps can continue to use Windows authentication
from the web.config. the server OS simply asks the browser to popup
the login box (dunno what you call that box...NTML? SAMS? not sure).
after the user enters his credentials, the app sees him as his Windows
user.

actually, i lied -- the Windows authentication works 100% properly for
VPN'ed users, my app knows who they are and can read their AD groups.
but -- it FAILS for domain users sitting inside the network at their
desktops. Whaaaa!???

how can this be? IE tosses up the same login box for both...but for
regular users it cannot authenticate their credentials. error is:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials.
Internet Information Services (IIS)

...any ideas?


thanks
sm
any ideas?

 

[Joe Kaplan]

I'd suggest enabling auditing of logon events for success and failure and
find out what is going on with the login itself from the details provided in
the security event log.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

ok, after messing around some more i have it. using VPN is no problem
at all, and my web apps can continue to use Windows authentication
from the web.config. the server OS simply asks the browser to popup
the login box (dunno what you call that box...NTML? SAMS? not sure).
after the user enters his credentials, the app sees him as his Windows
user.

actually, i lied -- the Windows authentication works 100% properly for
VPN'ed users, my app knows who they are and can read their AD groups.
but -- it FAILS for domain users sitting inside the network at their
desktops. Whaaaa!???

how can this be? IE tosses up the same login box for both...but for
regular users it cannot authenticate their credentials. error is:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid
credentials.
Internet Information Services (IIS)

....any ideas?


thanks
sm
any ideas?

 

[SpaceMarine]

I'd suggest enabling auditing of logon events for success and failure and
find out what is going on with the login itself from the details provided in
the security event log.

(im an application guy, not so much an admin guy, so go w/ me here)

so the web server machine can store its authentication attempts
details in its security event log? but i have enable auditing for
these first?


thanks
sm

 

[Joe Kaplan]

Yes. Windows can audit all sorts of things if you turn on these features.
Logon are one thing you can enable. See Start | Run | secpol.msc to enable
these options. Then, look in the security event log to see what is
happening.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

I'd suggest enabling auditing of logon events for success and failure and
find out what is going on with the login itself from the details provided
in
the security event log.

(im an application guy, not so much an admin guy, so go w/ me here)

so the web server machine can store its authentication attempts
details in its security event log? but i have enable auditing for
these first?


thanks
sm

 

[SpaceMarine]

Yes.  Windows can audit all sorts of things if you turn on these features.
Logon are one thing you can enable.  See Start | Run | secpol.msc to enable
these options.  Then, look in the security event log to see what is
happening.

thanks for the tip.

as for details, it seems to only say bad username/password. ive asked
my admins to review a good one (via VPN) and bad.


sm

 

[Joe Kaplan]

These audits typically have some additional details such as the user name
that failed to authenticate or some extended error code as well. Perhaps
your admins can help you get this sorted out.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Yes. Windows can audit all sorts of things if you turn on these features.
Logon are one thing you can enable. See Start | Run | secpol.msc to enable
these options. Then, look in the security event log to see what is
happening.

thanks for the tip.

as for details, it seems to only say bad username/password. ive asked
my admins to review a good one (via VPN) and bad.


sm

 

[SpaceMarine]

These audits typically have some additional details such as the user name
that failed to authenticate or some extended error code as well.  Perhaps
your admins can help you get this sorted out.

we did indeed. this was really wigging me out, especially since
authentication works in Firefox.

turns out IE7 has a new, misnamed setting in Internet Options ->
Advanced -> Security -> "Enable Integrated Windows Authentication",
checked by default. this should really read, "Don't Roll-over from
Kerberos to NTLM protocol on failed auth attempt", because that's
exactly what it does -- if your server's Kerberos security protocol
isnt working, leaving this checked will cause the process to halt. if
you uncheck it, the browser will re-try the auth attempt using NTLM.

more here:

http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/

...so unchecking that box will force NTML authentication. meanwhile,
you can try to figure out why your Kerberos isnt working


sm