asp.net - Integrated Windows Authentication -

Integrated Windows authentication with IIS has some very strange problems and I am not sure I can see a pattern.

or not.

We have a DNS-Cname record called Fred, we have an IIS website, which is set as Fred's Host Header. When I join this site, I get inspired by a credential challenge, I hope my credentials will be passed. If I enter my credentials, I am given access.

Then I create a local host entry named Beti and point the host file as Fred on the same IP address and change host Hyder to the daughter. There is no record connected anywhere, when I use my daughter, I am automatically certified and everything is fine.

If I try to bypass the CNM record and creates an entry in the local host file named Fred and changes the host head back to Fred. I still get an authentication challenge.

As I have seen that he has two questions, how does this affect the resolution of CNMD record or is it a red herring? What is happening with this challenge? We have similar symptoms and our concern is that our authentication token is getting black somewhere. With certification, one can run according to the order i.e. what packets are sent to the machines? Is there a way that I can detect it? (I'm thinking of wireshark or something similar). How can I authenticate to the certification token and it is valid?

The reason for the authentication box is simple: Internet Explorer only sends your credentials only when it thinks that The host is in the "local intranet" area (default configuration assumed) If a "local" asks for a host NTLM credentials outside the IL, a certification box will appear, and you must manually verify it.

If you want your credentials to be sent automatically, make sure that IE thinks in "local intranet" to see the currently active area to check zone information on the status bar .

IE takes more than one thing from the account to determine whether the host is considered "local intranet":

1. Is it in the local sub-net An IP address is - & gt; Yes
2. Is this a simple host name (i.e. "no point") - & gt; Yes
3. In the IE option: "Sites ..." for the "Local intranet" list contains - & gt; Yes
4. In IE Options: This proxy exclusion list - & gt; Yes
5. Is this a UNC path - & gt; Otherwise: No
6. Occasionally, there is an old password in the personal password list for that host name (Access through Control Panel -> User Accounts) If this is wrong then similar problems can occur.

My suspicion is that your host "Fred" does not meet the # 2 conditions # 4, but your test case "Betty"

is the name solution No matter how (nomination record, a record, host file, other) does not matter, because the method of the name resolution is opaque for the calling application. IE simply asks for the name "XYZ" and comes back to an IP address.

Due to recent configuration changes, you may need to clear the local DNS cache, however. An occasional ipconfig / flushdns will help, alternatively you can stop the DNS client service for some time.

The described internal logic is applied on the host name and security settings based on the change result.