|Here is a collection of facts and observations regarding the use of Integrated Windows Authentication (IWA) with
Microsoft's IIS webserver.
IWA will not prompt the client/browser to login whenever that client/browser is running within the same domain as
IIS. In that scenario, the login is automatic and behind-the-scenes (i.e. seamless).
This fact is evidenced by this IIS forum post.
When you have mulitple authN mechanisms enabled for your IIS website (e.g. IWA *and* Basic),
then the IIS webserver will send back a list of all supported (i.e. enabled)
mechanisms to the client, and the client will select the "strongest" one that it supports.
So, if you have IWA *and* Basic enabled, and the client supports IWA, then
IWA will be used (e.g. NTLM or Kerberos). Only if the client doesn't
understand/support IWA would Basic be used. So, "yes", you can have both of
them selected, but if the client supports IWA, then it will attempt to use
IWA. With IWA, you need to supply a domain name as part of the username (e.g. <domainName>\<userName>).
If you are being prompted to login and yet your attempts to login keep failing, perhaps you need to configure
your Internet Explorer [IE] web browser to add the site you're requesting to its security zone as described here.
Essentially what can occur is that IE may decide to not trust certain websites based upon IE's own security settings.
Further details are here.
With IIS 7, Integrated Windows authentication isn't installed by default. As such, you'll need to go to the
Add/Remove programs | "Turn Windows Features on or off".
This will bring up a new Server Manager dialog.
Click on the Role named "Web Server" and then in the right pane scroll down to the list of Role Services.
Look in the list of Role Services for the Heading named "Security".
Beneath that heading you should see Role Services named:
By default those Role Services are not installed, so go back to the top of the list of Role Services and click
- Basic Authentication
- Windows Authentication
Add Role Services...
From there you can check the checkboxes for the specific Authentication Role Services you wish to add.
After this completes, close the IIS Manger/Server Manger dialog and bring up a brand new one.
That is important.
Now in the brand new dialog click on the name of your website and then click on "Authentication" in that IIS group. You should then see that "Windows Authentication" has been added to the list (it would not have been listed there before). Make sure to enable it, as its default value will be "disabled".
In testing, we found that it was not enough to turn on the IWA authentication within IIS.
We found that we must also turn off Anonymous Access.
With BDJX 7.0.1,371 the value of Auth_user and Remote_user is simply "Administrator",
but with BDJX 7.1.0,373 the values are "<machine name>\Administrator" as in:
It is possible to perform advanced configuration within Firefox by accessing the following URL in a Firefox browser window:
FAQ #65 may also be of interest.