1

We're using some third party software which runs as a service on one computer, accessing an IIS resource on second computer. The second computer isn't in the same domain as the first, and there's a firewall directly between them.

Both servers are Windows 2003, running IIS6.

The service fails to do what it wants because it isn't authorised to access the IIS resource (HTTP error 401). The resource cannot be run anonymously (and complains if I set IIS to work like that) and uses windows authentication. The software assumes that both machines are in the same domain.

Without adding the second computer to the same domain as the first (which must be possible, but involves fiddling around with routing), can I make it so that the service can access the resource?

I've tried to find ways of adding the first computer as an authorised user on the second one, but I can't.

paulmorriss
  • 277
  • 1
  • 3
  • 15

1 Answers1

2

Since the dawn of time, Windows OSes have supported a gross hack to enable cross-domain logins: allow Windows Integrated authentication on the web resource from a named useraccount in the domain the web server runs in, and create a user with the same accountname and password on the server hosting the service.

Yes, this will always work regardless of domain membership.

EDIT: to add one obvious security implication, in case it isn't obvious: you can use this trick to access a privileged domain account from a computer where the (duplicate) account is not privileged.

adaptr
  • 16,479
  • 21
  • 33