Question : IIS security question

I have a win2003 IIS server hosting my company intranet. I have been using Basic Authentication for our single domain users. I’ve placed the domain name in the Default domain filed so users don’t need to add their domain\username.
I have a new domain tree in my domain now (same Forest). I now want to have users in both domains, use basic authentication, to access the intranet. I want to keep the users from entering in domain\username and have them continue to input just their usernames; however, within the “default domain” field, it only allows you to put in 1 domain name. Is there a work around for this?
Bottom line: How can I get users from both domains to access the intranet without specifying domain\username and just use username, while still using basic authentication?

Answer : IIS security question

This is not possible by the design of Basic authentication and IIS. Basic authentication tells the browser to send the username (in clear text, so only use this over SSL). The server then determines the authentication source and method. In this case, it means authentication against AD. However, AD uses DOMAIN\Username (or sometimes UPN), thus a "Default Domain" option exists for simplicity. However, since you have multiple domains, it doesn't know which one to authenticate each user against. Unless IIS changes to allow a list of domain to try in a certain order, what you are looking for doesn't exist. I wouldn't count on MS adding such a feature either since it means doing multiple authentication requests against multiple domains, which isn't good for performance or security.

A few options:
1) Tell the users in one domain or another (or both) to use the full domain formatted username
2) Create a custom authentication filter to do what you want, and install it into IIS and use that (complicated and far beyond the scope of this question).
3) You *may*, depending on your setup and web application(s), be able to create multiple virtual IIS servers on the PC, attached to multiple IP addresses, with different default domains on each. Then  direct the users (either manually or via a script or web page) to the appropriate IIS website.
Random Solutions  
 
programming4us programming4us