How To:Windows Integrated Security and workgroups

[John Blair]

Hi,

I have setup my website to use windows integrated security in IIS (and
disabled anonymous access) also added <identity impersonate="true"/> in the
web.config file. Now whenever a PC on my intranet tries to visit the website
the network logon prompt for my server appears (as expected). The problem is
that the user is prompted to enter a domain - but my lan PCs are all part of
a workgroup NOT a domain - how can i get the login to ask for workgroup
instead of domain - or not ask for a domain at all? Thanks a lot!

[Joe Kaplan \(MVP - ADSI\)]

They will either need a local account on your web server or an account in a
domain that your web server trusts. Your web server will not trust their
local machine accounts, so you won't be able to use them.

If you don't have a domain available and accounts for your users in the
domain, I'm not sure using integrated authentication will work out so great.
Essentially the users will have a local account they log in to their
workstation with and a domain account or account on the web server that may
have a different name and password. That becomes a lot of extra stuff to
look after, especially if you have a lot of users.

Joe K.

"John Blair" <john_blair@hotmail.com> wrote in message
news:RHYVd.585$A01.390@newsfe5-gui.ntli.net...

> Hi,
>
> I have setup my website to use windows integrated security in IIS (and
> disabled anonymous access) also added <identity impersonate="true"/> in
> the web.config file. Now whenever a PC on my intranet tries to visit the
> website the network logon prompt for my server appears (as expected). The
> problem is that the user is prompted to enter a domain - but my lan PCs
> are all part of a workgroup NOT a domain - how can i get the login to ask
> for workgroup instead of domain - or not ask for a domain at all? Thanks
> a lot!
>
>

[John Blair]

Thanks for the reply.

Yes my users have a local PC account and i have created one for them on the
web server - the trouble is when prompted for login on the webserver they
are asked for the domain - BUT i dont have a domain - only a workgroup - so
i dont know why i get prompted for a domain as i have no way of satisfying
that part of the user credentials! Thanks anyway.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:O$d%23zqMIFHA.904@tk2msftngp13.phx.gbl...

> They will either need a local account on your web server or an account in
> a domain that your web server trusts. Your web server will not trust
> their local machine accounts, so you won't be able to use them.
>
> If you don't have a domain available and accounts for your users in the
> domain, I'm not sure using integrated authentication will work out so
> great. Essentially the users will have a local account they log in to
> their workstation with and a domain account or account on the web server
> that may have a different name and password. That becomes a lot of extra
> stuff to look after, especially if you have a lot of users.
>
> Joe K.
>
> "John Blair" <john_blair@hotmail.com> wrote in message
> news:RHYVd.585$A01.390@newsfe5-gui.ntli.net...

>> Hi,
>>
>> I have setup my website to use windows integrated security in IIS (and
>> disabled anonymous access) also added <identity impersonate="true"/> in
>> the web.config file. Now whenever a PC on my intranet tries to visit the
>> website the network logon prompt for my server appears (as expected). The
>> problem is that the user is prompted to enter a domain - but my lan PCs
>> are all part of a workgroup NOT a domain - how can i get the login to ask
>> for workgroup instead of domain - or not ask for a domain at all? Thanks
>> a lot!
>>
>>

>
>

[Joe Kaplan \(MVP - ADSI\)]

Ah, for that you need to put in the machine name of the web server (assuming
the accounts are local on the web server).

If you use Basic authentication (and SSL), you can set up a default domain
in the IIS settings that will take care of this for you.

Joe K.

"John Blair" <john_blair@hotmail.com> wrote in message
news:Rb%Vd.1499$IQ5.1276@newsfe1-gui.ntli.net...

> Thanks for the reply.
>
> Yes my users have a local PC account and i have created one for them on
> the web server - the trouble is when prompted for login on the webserver
> they are asked for the domain - BUT i dont have a domain - only a
> workgroup - so i dont know why i get prompted for a domain as i have no
> way of satisfying that part of the user credentials! Thanks anyway.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:O$d%23zqMIFHA.904@tk2msftngp13.phx.gbl...

>> They will either need a local account on your web server or an account in
>> a domain that your web server trusts. Your web server will not trust
>> their local machine accounts, so you won't be able to use them.
>>
>> If you don't have a domain available and accounts for your users in the
>> domain, I'm not sure using integrated authentication will work out so
>> great. Essentially the users will have a local account they log in to
>> their workstation with and a domain account or account on the web server
>> that may have a different name and password. That becomes a lot of extra
>> stuff to look after, especially if you have a lot of users.
>>
>> Joe K.
>>
>> "John Blair" <john_blair@hotmail.com> wrote in message
>> news:RHYVd.585$A01.390@newsfe5-gui.ntli.net...

>>> Hi,
>>>
>>> I have setup my website to use windows integrated security in IIS (and
>>> disabled anonymous access) also added <identity impersonate="true"/> in
>>> the web.config file. Now whenever a PC on my intranet tries to visit the
>>> website the network logon prompt for my server appears (as expected).
>>> The problem is that the user is prompted to enter a domain - but my lan
>>> PCs are all part of a workgroup NOT a domain - how can i get the login
>>> to ask for workgroup instead of domain - or not ask for a domain at all?
>>> Thanks a lot!
>>>
>>>

>>
>>

>
>

[John Blair]

Thanks again! But still having no joy.

I entered the server name (winxp1) and the login prompt just got represented
furhter 2 times and then logon failure msg!

I tried your second suggestion basic authentication - i entered a default
domain name and that appeared in the domain box on my remote pc login
prompt - but still login failure!

on IIS my anonymous account is say Johnny Blair - the anonymous user is
listed as WINXP1\Johnny Blair - now in attempting to logon remoted i use
Johnny Blair - but also tried WINXP1\Johnny Blair . The error message
suggesting altering the local security policy and adding the name name
Johnny Blair to logon locally - but that user is an admistrator and
administrators are already presented - so i added it anyway but it didnt
help - ive gone back to anonymous login! Any ideas appreciated. Thanks.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%235mKOBNIFHA.3076@tk2msftngp13.phx.gbl...

> Ah, for that you need to put in the machine name of the web server
> (assuming the accounts are local on the web server).
>
> If you use Basic authentication (and SSL), you can set up a default domain
> in the IIS settings that will take care of this for you.
>
> Joe K.
>
> "John Blair" <john_blair@hotmail.com> wrote in message
> news:Rb%Vd.1499$IQ5.1276@newsfe1-gui.ntli.net...

>> Thanks for the reply.
>>
>> Yes my users have a local PC account and i have created one for them on
>> the web server - the trouble is when prompted for login on the webserver
>> they are asked for the domain - BUT i dont have a domain - only a
>> workgroup - so i dont know why i get prompted for a domain as i have no
>> way of satisfying that part of the user credentials! Thanks anyway.
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:O$d%23zqMIFHA.904@tk2msftngp13.phx.gbl...

>>> They will either need a local account on your web server or an account
>>> in a domain that your web server trusts. Your web server will not trust
>>> their local machine accounts, so you won't be able to use them.
>>>
>>> If you don't have a domain available and accounts for your users in the
>>> domain, I'm not sure using integrated authentication will work out so
>>> great. Essentially the users will have a local account they log in to
>>> their workstation with and a domain account or account on the web server
>>> that may have a different name and password. That becomes a lot of
>>> extra stuff to look after, especially if you have a lot of users.
>>>
>>> Joe K.
>>>
>>> "John Blair" <john_blair@hotmail.com> wrote in message
>>> news:RHYVd.585$A01.390@newsfe5-gui.ntli.net...
>>>> Hi,
>>>>
>>>> I have setup my website to use windows integrated security in IIS (and
>>>> disabled anonymous access) also added <identity impersonate="true"/> in
>>>> the web.config file. Now whenever a PC on my intranet tries to visit
>>>> the website the network logon prompt for my server appears (as
>>>> expected). The problem is that the user is prompted to enter a domain -
>>>> but my lan PCs are all part of a workgroup NOT a domain - how can i get
>>>> the login to ask for workgroup instead of domain - or not ask for a
>>>> domain at all? Thanks a lot!
>>>>
>>>>
>>>
>>>

>>
>>

>
>

[Joe Kaplan \(MVP - ADSI\)]

I'd suggest enabling auding of logon events in Local Security Policy so you
can see the logon failures in the security event log. That should help
diagnose what the errors are. You should be able to use the same logon
syntax that you would use when logging on to the machine normally.

Joe K.

"John Blair" <john_blair@hotmail.com> wrote in message
news:A80Wd.1556$IQ5.1317@newsfe1-gui.ntli.net...

> Thanks again! But still having no joy.
>
> I entered the server name (winxp1) and the login prompt just got
> represented furhter 2 times and then logon failure msg!
>
> I tried your second suggestion basic authentication - i entered a default
> domain name and that appeared in the domain box on my remote pc login
> prompt - but still login failure!
>
> on IIS my anonymous account is say Johnny Blair - the anonymous user is
> listed as WINXP1\Johnny Blair - now in attempting to logon remoted i use
> Johnny Blair - but also tried WINXP1\Johnny Blair . The error message
> suggesting altering the local security policy and adding the name name
> Johnny Blair to logon locally - but that user is an admistrator and
> administrators are already presented - so i added it anyway but it didnt
> help - ive gone back to anonymous login! Any ideas appreciated. Thanks.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%235mKOBNIFHA.3076@tk2msftngp13.phx.gbl...

>> Ah, for that you need to put in the machine name of the web server
>> (assuming the accounts are local on the web server).
>>
>> If you use Basic authentication (and SSL), you can set up a default
>> domain in the IIS settings that will take care of this for you.
>>
>> Joe K.
>>
>> "John Blair" <john_blair@hotmail.com> wrote in message
>> news:Rb%Vd.1499$IQ5.1276@newsfe1-gui.ntli.net...

>>> Thanks for the reply.
>>>
>>> Yes my users have a local PC account and i have created one for them on
>>> the web server - the trouble is when prompted for login on the webserver
>>> they are asked for the domain - BUT i dont have a domain - only a
>>> workgroup - so i dont know why i get prompted for a domain as i have no
>>> way of satisfying that part of the user credentials! Thanks anyway.
>>>
>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>>> wrote in message news:O$d%23zqMIFHA.904@tk2msftngp13.phx.gbl...
>>>> They will either need a local account on your web server or an account
>>>> in a domain that your web server trusts. Your web server will not
>>>> trust their local machine accounts, so you won't be able to use them.
>>>>
>>>> If you don't have a domain available and accounts for your users in the
>>>> domain, I'm not sure using integrated authentication will work out so
>>>> great. Essentially the users will have a local account they log in to
>>>> their workstation with and a domain account or account on the web
>>>> server that may have a different name and password. That becomes a lot
>>>> of extra stuff to look after, especially if you have a lot of users.
>>>>
>>>> Joe K.
>>>>
>>>> "John Blair" <john_blair@hotmail.com> wrote in message
>>>> news:RHYVd.585$A01.390@newsfe5-gui.ntli.net...
>>>>> Hi,
>>>>>
>>>>> I have setup my website to use windows integrated security in IIS (and
>>>>> disabled anonymous access) also added <identity impersonate="true"/>
>>>>> in the web.config file. Now whenever a PC on my intranet tries to
>>>>> visit the website the network logon prompt for my server appears (as
>>>>> expected). The problem is that the user is prompted to enter a
>>>>> domain - but my lan PCs are all part of a workgroup NOT a domain - how
>>>>> can i get the login to ask for workgroup instead of domain - or not
>>>>> ask for a domain at all? Thanks a lot!
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>

[John Blair]

Thanks a lot - i did what you suggest and it reported a problem with the
logon name or password - which surprised me as i believe both are ok.

However - i created a new admin account - say testxp with a password and i
was able to logon remotely ok. Now the only difference with my original
account is that

the login name is say Johnny Blair and the full name of the account is John
Blair
- i tried using both these to login and it failed - although i can login
locally ok so i know the password is ok. I am just wondering if spaces in a
name are a problem....anyway thanks for your time - i wont bother you
again!!!!!! Have a good weekend!
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:eQ3x9tNIFHA.2740@TK2MSFTNGP12.phx.gbl...

> I'd suggest enabling auding of logon events in Local Security Policy so
> you can see the logon failures in the security event log. That should
> help diagnose what the errors are. You should be able to use the same
> logon syntax that you would use when logging on to the machine normally.
>
> Joe K.
>
> "John Blair" <john_blair@hotmail.com> wrote in message
> news:A80Wd.1556$IQ5.1317@newsfe1-gui.ntli.net...

>> Thanks again! But still having no joy.
>>
>> I entered the server name (winxp1) and the login prompt just got
>> represented furhter 2 times and then logon failure msg!
>>
>> I tried your second suggestion basic authentication - i entered a default
>> domain name and that appeared in the domain box on my remote pc login
>> prompt - but still login failure!
>>
>> on IIS my anonymous account is say Johnny Blair - the anonymous user is
>> listed as WINXP1\Johnny Blair - now in attempting to logon remoted i use
>> Johnny Blair - but also tried WINXP1\Johnny Blair . The error message
>> suggesting altering the local security policy and adding the name name
>> Johnny Blair to logon locally - but that user is an admistrator and
>> administrators are already presented - so i added it anyway but it didnt
>> help - ive gone back to anonymous login! Any ideas appreciated. Thanks.
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:%235mKOBNIFHA.3076@tk2msftngp13.phx.gbl...

>>> Ah, for that you need to put in the machine name of the web server
>>> (assuming the accounts are local on the web server).
>>>
>>> If you use Basic authentication (and SSL), you can set up a default
>>> domain in the IIS settings that will take care of this for you.
>>>
>>> Joe K.
>>>
>>> "John Blair" <john_blair@hotmail.com> wrote in message
>>> news:Rb%Vd.1499$IQ5.1276@newsfe1-gui.ntli.net...
>>>> Thanks for the reply.
>>>>
>>>> Yes my users have a local PC account and i have created one for them on
>>>> the web server - the trouble is when prompted for login on the
>>>> webserver they are asked for the domain - BUT i dont have a domain -
>>>> only a workgroup - so i dont know why i get prompted for a domain as i
>>>> have no way of satisfying that part of the user credentials! Thanks
>>>> anyway.
>>>>
>>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>>>> wrote in message news:O$d%23zqMIFHA.904@tk2msftngp13.phx.gbl...
>>>>> They will either need a local account on your web server or an account
>>>>> in a domain that your web server trusts. Your web server will not
>>>>> trust their local machine accounts, so you won't be able to use them.
>>>>>
>>>>> If you don't have a domain available and accounts for your users in
>>>>> the domain, I'm not sure using integrated authentication will work out
>>>>> so great. Essentially the users will have a local account they log in
>>>>> to their workstation with and a domain account or account on the web
>>>>> server that may have a different name and password. That becomes a
>>>>> lot of extra stuff to look after, especially if you have a lot of
>>>>> users.
>>>>>
>>>>> Joe K.
>>>>>
>>>>> "John Blair" <john_blair@hotmail.com> wrote in message
>>>>> news:RHYVd.585$A01.390@newsfe5-gui.ntli.net...
>>>>>> Hi,
>>>>>>
>>>>>> I have setup my website to use windows integrated security in IIS
>>>>>> (and disabled anonymous access) also added <identity
>>>>>> impersonate="true"/> in the web.config file. Now whenever a PC on my
>>>>>> intranet tries to visit the website the network logon prompt for my
>>>>>> server appears (as expected). The problem is that the user is
>>>>>> prompted to enter a domain - but my lan PCs are all part of a
>>>>>> workgroup NOT a domain - how can i get the login to ask for workgroup
>>>>>> instead of domain - or not ask for a domain at all? Thanks a lot!
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>

[Unregistered]

17/09/2010: No idea how old these posts are.
I'm sure you cannot have a space in a username. It you are authenticating against local accounts on the webserver, then look up the account in Computer Manager, Users and Computers. The "name" field is actually the username field. You should be able to run "net user <username>" from command line to ensure you have the username correct. Then look at using "runas /user:<username> cmd" from the command line to ensure you have the password correct.