General discussion

Locked

IIS4 Intra/Intranet Authentication Probs

By JennL ·
We went the route of assigning specific IP addresses to each site on the IIS 4 server (right now there are 3 sites with multiple virtual directories & sites under them) to try and get authentication to work. Still having a problem linking between the sites:

mycompany.net hyperlinks to:
1. mycompany.net/remote
2. ourintranet

I get the password prompt and can access all the remote files I should be able to (even tested different authorities). However, when I try the link to "ourintranet" I get a page not found error. I've even changed the hyperlink to "ourintranet.mycompany.com/ default.htm" (browsing to the page to make sure it wasn't a simple typo fix).

The intranet is running on the same server as the net but using a different ip address. Ourintranet access is denied except for 2 internal subnets and the mycompany.net domain with anonymous access allowed. We have an internal firewall which is pointing to the ip address for mycompany.net. My understanding is the firewall passes its domain information with the request - so it "should" work (I'm beginning to hate that word more than "if"). Everyone within the subnets can access the intranet internally. I also tried adding the firewall IP address to the "access is denied except" list.

The intranet was designed in FrontPage 2000 and I even added the IIS user groups with browse access for the site through it (when I look at the intranet folder permissions I can now see the 2groups with read access).

Other details: IIS 4 w/ SP6a. Tested on Internet Explorer 4.01 SP2, 5.0 & 5.5 (40 & 128 bit encryption). We do not want to go to clear text passwords. When I took off CHAP authentication on the Intranet I was able toget to it for editing via FrontPage.

Any suggestions?

This conversation is currently closed to new comments.

15 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

IIS4 Intra/Intranet Authentication Probs

by dheupel In reply to IIS4 Intra/Intranet Authe ...

Set your authentication to NT Challenge/Response only, and check your DNS tables.

Collapse -

IIS4 Intra/Intranet Authentication Probs

by JennL In reply to IIS4 Intra/Intranet Authe ...

If we go with NT Challenge/Response only on the intranet then our internal employees would need a login & password (not acceptable per supervisor). We want to open the intranet to remote employees and were hoping to have them log into an internet and pass them through to the intranet because they were able to authenticate.

The DNS tables have all internal IPs in it and our ISP has the external ones.

Collapse -

IIS4 Intra/Intranet Authentication Probs

by dheupel In reply to IIS4 Intra/Intranet Authe ...

OK, now I think I see what you're after.

Since you have multiple NICs in the IIS4 server (you do, right?), and the intranet is bound to one of them, this (in theory) should work.

Subnet or firewall the intranet IP address so that it is accessible from only internal network IPs. In other words, isolate the NIC/IP address the intranet is bound to from the outside world. (I'm sure have already done this.) Then, on the intranet web security properties, use "allow anonymous access". Thisshould allow all your employees access to the intranet.

Then, on the Internet site, use the NT Challenge/Response authentication, and users will be required to enter a username/password to gain access to it. However, you could link to the Intranet from the Internet, and users would have access, as long as they knew the password to get into the Internet site to find the link.

Collapse -

IIS4 Intra/Intranet Authentication Probs

by JennL In reply to IIS4 Intra/Intranet Authe ...

I setup multiple IPs for 1 NIC (they are bound to the 1 NIC). I followed the other steps that you outlined but am getting a "page cannot be displayed" error clicking on the intranet link once logged into the internet page. The intranet page is there, I even browsed to it in order to create the link. All internal employees can see this same page.

Could it be that I can't set this up without 2 NIC's?

BTW - I hate rating this as unacceptable since you are right there. Please don't take it personal!

Collapse -

IIS4 Intra/Intranet Authentication Probs

by dheupel In reply to IIS4 Intra/Intranet Authe ...

Don't worry, not taking it personal, I have become used to rejection (hehe).

Anyway, on a more serious note - yes, that is the problem exactly. Bind only one IP address per NIC. What is happening is that the server is getting confused because it is trying to pass the traffic to the other IP, but since the address is bound to the same NIC it gets bogged down in a "should I stay, or should I go" quagmire - for lack of a better explanation. I think adding a second NIC to the server will solve your problem, and keep my earlier suggestions in mind as you get that set up.

Good luck.

Collapse -

IIS4 Intra/Intranet Authentication Probs

by JennL In reply to IIS4 Intra/Intranet Authe ...

I put the second nic in yesterday afternoon, bound separate IPs to the cards. I still am getting the same "page cannot be displayed" error clicking on the intranet link once logged into the internet page.
The intranet is setup with accessdenied except for the 2 subnet masks and the internet login domain - I added the IP address of the second nic and still get the same error.
Can anyone explain how this routing works (what the firewall passes to the internet, what the internet recognizes incoming traffic as & how it passes it on to the intranet after loggin in?)

Collapse -

IIS4 Intra/Intranet Authentication Probs

by dheupel In reply to IIS4 Intra/Intranet Authe ...

Don't worry, not taking it personal, I have become used to rejection (hehe).

Anyway, on a more serious note - yes, that is the problem exactly. Bind only one IP address per NIC. What is happening is that the server is getting confused because it is trying to pass the traffic to the other IP, but since the address is bound to the same NIC it gets bogged down in a "should I stay, or should I go" quagmire - for lack of a better explanation. I think adding a second NIC to the server will solve your problem, and keep my earlier suggestions in mind as you get that set up.

Good luck.

Collapse -

IIS4 Intra/Intranet Authentication Probs

by JennL In reply to IIS4 Intra/Intranet Authe ...
Collapse -

IIS4 Intra/Intranet Authentication Probs

by zozuk In reply to IIS4 Intra/Intranet Authe ...

Yes you do need 2 NIC's 1 for the internet, 1 for the internal network. the single NIC is working double time and probably timing out, trying to recieve packet's and send the packets out a different IP on the same card. 2 NIC's would recieve the packet on 1 and send to the other NIC. The second NIC would allow users to connect like a regular network(because it is)using DHCP or what you already use to connect. Now your WEB site link(button)is a reference to youre other NIC's IP. This folder is aVirtuall folder on youre site that is mapped to c: and the IIS permissions set to ONly MSCHAP not allowing the Internet Guest account access to the c drive. You may have to play with the permissions alittle in IIS to get users perfect access to the folders on the c drive (?) the already have. We do it and it works fine after alittle playing with perms
hope this helps
llp

Collapse -

IIS4 Intra/Intranet Authentication Probs

by JennL In reply to IIS4 Intra/Intranet Authe ...

I set up the 2nd nic (see rating for david_heupel@dcf.state.fl.us
Date: 11/07/00 04:10 PM EST) and am still getting errors.
We do not have the users log into the intranet, am using anonymous access. This is DHCP and the folders are on the d: drive with FrontPage giving read only access (can see as such in file permissions on folders).
The internet is setup as MSCHAP only with user accounts giving access to some sales files on the d: drive and a link to the intranet. I did verify permissions for these user accounts on the d: drive - they are also set to read.
I think the routing is a little fuzzy and once I understand that I can figure this out. From previous rating:
Can anyone explain how this routing works (whatthe firewall passes to the internet, what the internet recognizes incoming traffic as & how it passes it on to the intranet after loggin in?)

Back to Windows Forum
15 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums