Windows integrated authentication across domains...

[MColeman]

I have an ASP/VB.NET application on two different servers.

Both have: anonymous logon = unchecked
windows integrated = checked
impersonation = false

Server A is in domain A and the users are in domain A. This application runs okay and returns the user.identity.name to the .NET as domain\username.

Server B is in domain B and the same users in domain A are trying to use it. This application shows the user.identity.name as null.

Is the user.identity null because the logon becomes anonymous if from another domain?

Could there be a firewall or proxy name that's being passed instead of the domain/username and this name is allowed anonymous access?

 

[evaleah]

Is there a trust between domains A and B? Can users authenticate directly into domain B if they are domain A users?

 

[MColeman]

Thanks for your reply.

Is there a trust between domains A and B? yes - parent and child

Can users authenticate directly into domain B if they are domain A users? yes

I tried someone's logon from the parent domain also.

 

[LV]

Is

<authentication mode=&quot;Windows&quot; />

in Web.config in both apps?

 

[MColeman]

yes

 

[MColeman]

I called Microsoft support.

I needed to set impersonation to true in the web config file in order to get the user name passed to the .net code.

impersonation = true : uses IIS security settings
impersonation = false : uses default security settings from machine.config file in the .net framework

Also, they sent me two good links about .net security:

306158 INFO: Implementing Impersonation in an ASP.NET Application

http://support.microsoft.com/?id=306158

I have also included the following article which discusses the security identity of ASP.NET.

317012 INFO: Process and Request Identity in ASP.NET

http://support.microsoft.com/?id=317012