IIS Insider - June 2004

By Brett Hill

Domain Credentials Used When Accessing Trusted Sites

Q: I am creating an intranet site and would like the site to be available to users already logged into the network without requiring them to retype their username and password to access.  I would also like users to have the ability to log in to the site while out of the office from a foreign machine (not part of the domain) by typing their username and password. These should be the domain user accounts that I already maintain. Is there a way to do this in IIS 5.0 natively or is there an add-on that provides this functionality?

A: If the web site is added to the list of trusted sites in Internet Explorer on the client (as shown in Figure 1), then Internet Explorer will send the user's credentials to the web server automatically, if:

  1. Anonymous authentication is disabled on IIS -or- the anonymous user is denied access with NTFS permissions.
  2. Integrated Windows is enabled. In this case, the user will not be prompted for credentials, presuming they actually have rights to access the content as requested.


Figure 1   Adding Trusted Sites

When accessing remotely, your users do not need to be logged onto the domain in order to use domain credentials on the IIS server. All they need to do is type in their domain\username and password to authenticate with their domain credentials. IIS will then authenticate with the domain controller and they well be allowed access, presuming NTFS permissions permit it.

Should We Upgrade to IIS 6 Before Deploying Our ASP.net Applications?

Q: We would like to begin deploying some ASP.net applications on IIS 5, but we are migrating to IIS 6 within a year. Should we wait till we have IIS 6 in order to avoid problems due to difference with ASP.net between IIS 5 and IIS 6?

A: It's great to get a question like this because the answer is really easy. No! You should not wait. In the majority of cases, applications that were working on IIS 5 have no problems working on IIS 6. In other cases, you may need to make some adjustments, but those are typically minor.

From an IIS administration perspective, ASP.net on IIS 5 and IIS 6 are remarkably similar. The biggest difference is that the worker process that hosts ASP.net applications on IIS 5 is the aspnet_wp.exe and runs as the ASPNET user by default. On IIS 6, ASP.net runs like any other web application, as w3wp.exe, with the Network Services identity by default.

Additionally, in the process configuration of the machine.config files, only the maxIOthreads and maxWorkerthreads process elements are used (when IIS 6 is run in worker process isolation mode). The other process elements control recycling and process identity of the worker process that hosts ASP.net. Those items have been moved into the IIS Manager under the settings for Application Pools. See the IIS 6 help files for more information on this.

The only other advice I would give you it to make sure that your .Net applications do not take advantage of capabilities that are only found in the version of ASP.net you are deploying on IIS 5. Over time, different versions of ASP.net will arise and there will be differences, but in general these have not been substantial when running code on a lower lever version of ASP.net and on a higher level version of ASP.net

There is a great article on ASP.net architectural differences between IIS 5 and IIS 6 at http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh20.asp

Can You Assign Multiple Certificates to One Web Site?

Q: Our web site does not use host headers but we have two identities for the site - one for each of our products. ProductA.com and ProductB.com both resolve to the same IP address and so host headers are not required, so SSL can be used. After getting two certificates, each one with a different Common Name field (productA.com and productB.com), however, there doesn't appear to be a way to add more than one certificate to a web site. How can we attach both certificates to the same web site?

A: Starting in Windows 2000, the certificate store was centralized for the server. One of the rules that came along with that change is that each web site can only have one certificate. This is a bit difficult because, as in your case, a web site can have several identities (URL's that you would use to access the site). As of today, there is no solution for your problem other than configuring two web sites, one for each product, each with a unique IP address.

If your URL's share a common domain name such as ProductA.domain.com and ProductB.domain.com, then you can use a wildcard certificate. A wildcard certificate lets you obtain a single certificate for something like *.microsoft.com which would match msdn.microsoft.com and seach.microsoft.com. If not, then you will need to have two web sites. This may not be as bad as it sounds, as you can map both web sites to the same content.

Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months' questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.