NTLM Authentication Across Forests

[Andrew]

I have a problem that I've spent a considerable amount of time
researching and still haven't quite found the answer.

I have an intranet web server in Domain A if Forest A. This server
contains a website which in turn contains two files TestAccess.html
and TestAccess.aspx. Both files have security settings which allow
access to only one user Domain B\UserX. The user belongs to Domain B
which is part of Forest B. All domains and forests are currently
Window 2000. I also use .Net Framework 1.1. IIS is set up to use
integrated authentication and there is a one way external trust
between Domain A and Domain B (that is Domain A trusts Domain B).

The problem is as follows. When UserX browses to the website and
tries to access page TestAccess.html the page is served successfully.
However, when the same user attempts to view page TestAccess.aspx, he
gets an access denied error. Why is it so?

Considering that the domains are in separate forests and that Kerberos
authentication does not work across forests via external trust, the
browser uses NTLM authentication. I've read multiple posts on the
double-hop issue with NTLM, but this does not seem to apply here,
since both .html and .aspx files reside on the same web server.

I also tested the same website with a UserY in DomainA and everything
worked fine, i.e. both pages could be viewed just fine. The security
logs indicated that in this case Kerberos was used for authentication.

So my question is: Why is the .aspx page not served to UserX? Do I
have some kind of double-hop situation here even if the files are on
the same machine?

Please, help me make sense of this.

[Joe Kaplan \(MVP - ADSI\)]

Are you using impersonation in your web.config?

Joe K.

"Andrew" <andrew.miadowicz@gmail.com> wrote in message
news:d6565709.0411040834.564f95f1@posting.google.c om...

>I have a problem that I've spent a considerable amount of time
> researching and still haven't quite found the answer.
>
> I have an intranet web server in Domain A if Forest A. This server
> contains a website which in turn contains two files TestAccess.html
> and TestAccess.aspx. Both files have security settings which allow
> access to only one user Domain B\UserX. The user belongs to Domain B
> which is part of Forest B. All domains and forests are currently
> Window 2000. I also use .Net Framework 1.1. IIS is set up to use
> integrated authentication and there is a one way external trust
> between Domain A and Domain B (that is Domain A trusts Domain B).
>
> The problem is as follows. When UserX browses to the website and
> tries to access page TestAccess.html the page is served successfully.
> However, when the same user attempts to view page TestAccess.aspx, he
> gets an access denied error. Why is it so?
>
> Considering that the domains are in separate forests and that Kerberos
> authentication does not work across forests via external trust, the
> browser uses NTLM authentication. I've read multiple posts on the
> double-hop issue with NTLM, but this does not seem to apply here,
> since both .html and .aspx files reside on the same web server.
>
> I also tested the same website with a UserY in DomainA and everything
> worked fine, i.e. both pages could be viewed just fine. The security
> logs indicated that in this case Kerberos was used for authentication.
>
> So my question is: Why is the .aspx page not served to UserX? Do I
> have some kind of double-hop situation here even if the files are on
> the same machine?
>
> Please, help me make sense of this.

[Andrew]

Yes, I have asp worker process set up to impersonate. Also, the
worker process runs as a "Domain A\AccountS".