Can Windows & Anonymous authentication run in IIS 7?

[MisterBigglesworth]

Hi guys,

Have an interesting dilemma here. Our Intranet runs Windows Authentication for our users in our office. We have another branch that we want to give access to, but they cant get in as it asks for a username and password as they are not on the same domain etc.

So I enabled Anonymous authentication with Windows Authentication, and now they can get. So our users can get in to the Intranet as well as users from the external office & domain.

Problem is I cant use both authentications because some of my ASP code that makes use of Windows Authentication has stopped working (I check who the user is on their pc, and I get their email address & other data as needed off active directory).

So now I cant read our users details from Active Directory because even though both anonymous and windows authentication is running....its somehow broken the ability to read this data.

Any ideas on how to fix this and get both authentications working together? The email and displayname at the bottom of the code used to return values (when it was only windows authentication), now nothing is returned, no error....just empty values?? Here is a sample of the code I use:

vAuth_User = Request.ServerVariables("AUTH_USER")
vAuth_User = Replace(vAuth_User, "DOMAIN_NAME.CO.ZA\", "")

vAttribute1 = "mail"
vAttribute2 = "displayName"
vAttributes = vAttribute1 & "," & vAttribute2

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

'** RH ** account username and password to log in with to check credentials
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = "DOMAIN_NAME.CO.ZA\Administrator"
objConnection.Properties("Password") = "12345"
objConnection.Open "Active Directory Provider"

'** RH ** search for all user objects
strBase = "<LDAP://" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & vAuth_User & "))"
strAttributes = vAttributes
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

Set objRecordSet = objConnection.Execute(strQuery)
If objRecordSet.EOF = False Then
    vLDAP_EMail = objRecordSet.Fields(vAttribute1)
    vLDAP_Display_Name = objRecordSet.Fields(vAttribute2)
End If

 

[guest2013-1]

From your code you're looking at a specific user under a specific domain. Usually the anonymous account is a local account (not a domain user) so what you could try doing is check if the connection comes in from an authenticated domain user or the anonymous account and handle that accordingly.

 

[guest2013-1]

Seems that you can't run anonymous access http://support.microsoft.com/kb/188717/EN-US/

By design the variable will be blank if anonymous is allowed. You would need Basic/Integrated Security switched on. The users at the branch would then need to login with details you supply them. This can be:

yourdomain.co.za\Branch1
password

Or you would need to add all users from the branch to the domain (why it's separate in the first place only you guys would know )

 

[rorz0r]

There's a tool you might find useful called authdiag. Just lets you run itself against your site and tell you exactly how it's logging in or why it's being rejected.

 

[FarligOpptreden]

Seems that you can't run anonymous access http://support.microsoft.com/kb/188717/EN-US/

By design the variable will be blank if anonymous is allowed. You would need Basic/Integrated Security switched on. The users at the branch would then need to login with details you supply them. This can be:

yourdomain.co.za\Branch1
password

Or you would need to add all users from the branch to the domain (why it's separate in the first place only you guys would know )

Agreed. That's why, with our solution, we have separate configuration files for anonymous and integrated authentication to cater for domain and external users.

 

[MisterBigglesworth]

From your code you're looking at a specific user under a specific domain. Usually the anonymous account is a local account (not a domain user) so what you could try doing is check if the connection comes in from an authenticated domain user or the anonymous account and handle that accordingly.

Ok, for now lets forget about the external users connecting to the Intranet. I tested it with myself on our Intranet. So I am on the company's domain etc...and all was working fine until I enabled anonymous authentication + windows authentication. Then the code above stopped working. Having these 2 authentication methods running together seems to "break" the code above. If I take off anonymous access, it works fine again. Thats where Im having the problem. I kinda need both running and both working.

If a user goes to our Intranet (be it internal / external users), it must check the user coming in with windows authentication. If the user does not exist with windows authentication, it "defaults" the user to anonymous authentication and lets them in. Thats how I thought it would work having anonymous + windows authentication enabled.

How can this not work though...I mean, they designed IIS to run with both being enabled at the same time? Surely if this was not possible...you wouldnt be able to select both options?

Seems that you can't run anonymous access http://support.microsoft.com/kb/188717/EN-US/

By design the variable will be blank if anonymous is allowed. You would need Basic/Integrated Security switched on. The users at the branch would then need to login with details you supply them. This can be:

yourdomain.co.za\Branch1
password

Or you would need to add all users from the branch to the domain (why it's separate in the first place only you guys would know )

Ok, thanks for the info. Hmmm....have an idea, will chat to our network admin. Domains are separate as the other branch is basically a company our company bought into. So they still trading with their company name to keep existing clients as the admin to change it is huge etc. So ja...thats why they on a diff domain...but essentially its the same company.

There's a tool you might find useful called authdiag. Just lets you run itself against your site and tell you exactly how it's logging in or why it's being rejected.

Will check it out, thanks.

Agreed. That's why, with our solution, we have separate configuration files for anonymous and integrated authentication to cater for domain and external users.

We are running classic ASP unfort, will be upgrading to .NET in the future...but for now, need to get this working.

 

[FarligOpptreden]

We are running classic ASP unfort, will be upgrading to .NET in the future...but for now, need to get this working.

How did you know we're running .NET?

 

[MisterBigglesworth]

LOL! Easy peasy

Got an idea...gonna setup some accounts on our domain for these external users. Then take off anonymous access and leave windows authentication on as it was previously. When they then go to the Intranet, it will ask for a username and password. Hopefully if they enter in the setup username and password on our domain....it will let them in.

This should work...only catch is, will it be an acceptable solution for my boss