- Apr 26, 2006
- 504
- 0
- 76
Example Scenario:
MS SharePoint (web portal software) is installed in PC1
SharePoint doesn't really use IIS at all, except to host the Intro Page for people to Login.
IIS has its own Windows intergated Security check (point 1)
SharePoint uses its own windows integrated Security check (point 2), apart from the one from IIS.
So when users logs in, basically IIS takes authenticate user, then relays security credential to SharePoint
SharePoint receives and authenticate user, then continues and shows its content if authentication is accepted.
Now all the above is how everything it is SUPPOSED to work in the Perfect world.
but here's the dilema...
If IIS Security is configured to use NT Domain Groups/Users then it all works well
If IIS Security is configured to use LOCAL machine Groups, with users from NT Domain Users, then it works erratically.
now supposely if Kerberos authentication is configured properly, the Local machine Group scenario should work right? or does not apply here?
Here is what i think.
Technically speaking it's "illegal" per say to use Local machine groups to circumvent NT Domain groups, by adding NT Domain users into Local machine groups.
and the software pretty much proves my point.
But there are people arguing that Local machine groups should work in the scenario above, by adding NT Domain users into Local Groups.
Why it is wrong me think
When user connects to IIS of this machine it authenticates to the "entity" listed in the ACL
So when using NT Domain Group / Users scenario:
1.Users comes in via IIS
2.machine check againts itself
3.if user is local, authenticate
4.if user is domain, pass to immediate domain or sub domain DC*
5.if authenticate, access allowed
6.if not authenticated, access denied
*DC: if the user is not in the next DC, it will kill asking up the DC chaing until it finds it in the right level of the domain, else, user does not exist.
So now when using the LOCAL machine Group + added NT Domain Users scenario:
1.Users comes in via IIS
2.machine check againts itself
3.machine finds user listed locally
4.machine tries to authenticate user
5.but user does not actually exist Locally*
6.unable to authenticate, access denied
7.able to authenticate, access granted
*and here is the dilema, depending how well this LOCAL machine is configured, it should have been able to authenticate de NT Domain User in its LOCAL group, by asking the higher level DC controller,
but there is a flaw, it will only Ask the DC controller if the user is in the same level of the domain,
say IIS server was joined to PC1.apple.microsoft.com and DCs are:
apple.microsoft.com
orange.microsoft.com
banana.microsoft.com
it will most of the time authenticate users from Apple domain, but not from orange+banana domains
in a multi domain enviroment, the other NT Domain users, does not get authenticated properly.
Well anyways, what do you guys think, it's a Security Flaw in the Microsoft Domain authentication method, or it's a BUG in the Local Machine authentication method?
Any constructive suggestions and comments?
MS SharePoint (web portal software) is installed in PC1
SharePoint doesn't really use IIS at all, except to host the Intro Page for people to Login.
IIS has its own Windows intergated Security check (point 1)
SharePoint uses its own windows integrated Security check (point 2), apart from the one from IIS.
So when users logs in, basically IIS takes authenticate user, then relays security credential to SharePoint
SharePoint receives and authenticate user, then continues and shows its content if authentication is accepted.
Now all the above is how everything it is SUPPOSED to work in the Perfect world.
but here's the dilema...
If IIS Security is configured to use NT Domain Groups/Users then it all works well
If IIS Security is configured to use LOCAL machine Groups, with users from NT Domain Users, then it works erratically.
now supposely if Kerberos authentication is configured properly, the Local machine Group scenario should work right? or does not apply here?
Here is what i think.
Technically speaking it's "illegal" per say to use Local machine groups to circumvent NT Domain groups, by adding NT Domain users into Local machine groups.
and the software pretty much proves my point.
But there are people arguing that Local machine groups should work in the scenario above, by adding NT Domain users into Local Groups.
Why it is wrong me think
When user connects to IIS of this machine it authenticates to the "entity" listed in the ACL
So when using NT Domain Group / Users scenario:
1.Users comes in via IIS
2.machine check againts itself
3.if user is local, authenticate
4.if user is domain, pass to immediate domain or sub domain DC*
5.if authenticate, access allowed
6.if not authenticated, access denied
*DC: if the user is not in the next DC, it will kill asking up the DC chaing until it finds it in the right level of the domain, else, user does not exist.
So now when using the LOCAL machine Group + added NT Domain Users scenario:
1.Users comes in via IIS
2.machine check againts itself
3.machine finds user listed locally
4.machine tries to authenticate user
5.but user does not actually exist Locally*
6.unable to authenticate, access denied
7.able to authenticate, access granted
*and here is the dilema, depending how well this LOCAL machine is configured, it should have been able to authenticate de NT Domain User in its LOCAL group, by asking the higher level DC controller,
but there is a flaw, it will only Ask the DC controller if the user is in the same level of the domain,
say IIS server was joined to PC1.apple.microsoft.com and DCs are:
apple.microsoft.com
orange.microsoft.com
banana.microsoft.com
it will most of the time authenticate users from Apple domain, but not from orange+banana domains
in a multi domain enviroment, the other NT Domain users, does not get authenticated properly.
Well anyways, what do you guys think, it's a Security Flaw in the Microsoft Domain authentication method, or it's a BUG in the Local Machine authentication method?
Any constructive suggestions and comments?
Facebook
Twitter