Split DNS and HTTPS Geoff 11/6/2008 5:41:00 PM Be very grateful for some help here.... I have set up a split dns for reasons that I wont go into and have the following problem. If I try to access a https web site hosted on the SBS BOX using the follwing syntax it works perfectly well:- https://server/website If I try to access the same site using the split DNS as follows https://somedomainname.co.uk/website I am always asksed for authentication, username and password. I guess I must need to add something in the way of permissions to the additional forward lookup zone? Thanks Geoff

Re: Split DNS and HTTPS "Phillip Windell" <philwindell[ at ]hotmail.com> 11/6/2008 6:03:58 PM "Geoff" <Geoff[ at ]discussions.microsoft.com> wrote in message news:A3CB76D4-6069-48F2-A8E4-FD1C1789D1B2[ at ]microsoft.com... [Quoted Text] > Be very grateful for some help here.... > > I have set up a split dns for reasons that I wont go into I already know why,..so you don't need to. Of at least I know why you *should* be doing it,...and you *should* be doing it. > If I try to access a https web site hosted on the SBS BOX using the > follwing > syntax it works perfectly well:- > > https://server/website So I take it that this is a Wildcard Cert?,...since it isn't possible for a normal Cert to function against "server" and against "somedomainname.co.uk" at the same time. > If I try to access the same site using the split DNS as follows > > https://somedomainname.co.uk/website > > I am always asksed for authentication, username and password. > > I guess I must need to add something in the way of permissions to the > additional forward lookup zone? ???? DNS Zone have nothing to do with Authentication. Few problems I can think of. It may be one, or the other, or all at the same time: 1. The Split-DNS wasn't done correctly and the browser is trying to connect somewhere that your don't expect. 2. "somedomainname.co.uk" may have to be added to the Intranet Zone (not Internet) in the local browser settings on the local client machine that has to be repeated for every user who uses the machine. IE will not pass credentials from the Windows Logon to sites that are not in the Intranet Zone. Kind of obvious why,...you don't what the stupid browser passing your Domain Credentials to some website out on the internet that might "collect" such credentials for future evil doings. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------

Re: Split DNS and HTTPS Geoff 11/6/2008 6:38:13 PM You are a star sir! It makes perfect sense as you say but then like all of life it's easy when you know. Thank you very much. Geoff "Phillip Windell" wrote: [Quoted Text] > > "Geoff" <Geoff[ at ]discussions.microsoft.com> wrote in message > news:A3CB76D4-6069-48F2-A8E4-FD1C1789D1B2[ at ]microsoft.com... > > Be very grateful for some help here.... > > > > I have set up a split dns for reasons that I wont go into > > I already know why,..so you don't need to. Of at least I know why you > *should* be doing it,...and you *should* be doing it. > > > If I try to access a https web site hosted on the SBS BOX using the > > follwing > > syntax it works perfectly well:- > > > > https://server/website > > So I take it that this is a Wildcard Cert?,...since it isn't possible for a > normal Cert to function against "server" and against "somedomainname.co.uk" > at the same time. > > > If I try to access the same site using the split DNS as follows > > > > https://somedomainname.co.uk/website > > > > I am always asksed for authentication, username and password. > > > > I guess I must need to add something in the way of permissions to the > > additional forward lookup zone? > > ???? DNS Zone have nothing to do with Authentication. > > Few problems I can think of. It may be one, or the other, or all at the > same time: > > 1. The Split-DNS wasn't done correctly and the browser is trying to connect > somewhere that your don't expect. > > 2. "somedomainname.co.uk" may have to be added to the Intranet Zone (not > Internet) in the local browser settings on the local client machine that has > to be repeated for every user who uses the machine. IE will not pass > credentials from the Windows Logon to sites that are not in the Intranet > Zone. Kind of obvious why,...you don't what the stupid browser passing > your Domain Credentials to some website out on the internet that might > "collect" such credentials for future evil doings. > > > -- > Phillip Windell > www.wandtv.com > > The views expressed, are my own and not those of my employer, or Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > > >

Re: Split DNS and HTTPS "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 11/8/2008 4:21:53 AM In news:7452FD38-8481-465C-8A15-659E90932541[ at ]microsoft.com, Geoff <Geoff[ at ]discussions.microsoft.com> requesting assistance, typed the following: [Quoted Text] > You are a star sir! > > It makes perfect sense as you say but then like all of life it's easy > when you know. > > Thank you very much. > > Geoff In addition to Geoff's response, I would like to add that if you use the server's NetBIOS name in a URL, as you showed in your example, authentication will use the user's current logged on credentials, however if you use the FQDN, IIS will ask for authentication. This is a function of IIS honoring the authentication security settings when a browser connects by IP or FQDN, which gets resolved to an IP. You can test it. I found this out accidentally years ago teaching an IIS class when the students pointed out an issue that a lab wasn't following the steps in the lab book. It wasn't in the courseware, but was added in subsequent versions. -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Re: Split DNS and HTTPS "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 11/8/2008 4:23:16 AM In news:7452FD38-8481-465C-8A15-659E90932541[ at ]microsoft.com, Geoff <Geoff[ at ]discussions.microsoft.com> requesting assistance, typed the following: [Quoted Text] > You are a star sir! > > It makes perfect sense as you say but then like all of life it's easy > when you know. > > Thank you very much. > > Geoff Sorry, I meant in addition to Phillip's response, not yours! Sorry Phillip. :-)

Re: Split DNS and HTTPS "Phillip Windell" <philwindell[ at ]hotmail.com> 11/10/2008 8:52:41 PM "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> wrote in message news:%2372JOoVQJHA.1960[ at ]TK2MSFTNGP04.phx.gbl... [Quoted Text] > In news:7452FD38-8481-465C-8A15-659E90932541[ at ]microsoft.com, > Geoff <Geoff[ at ]discussions.microsoft.com> requesting assistance, typed the > following: > Sorry, I meant in addition to Phillip's response, not yours! > > Sorry Phillip. :-) ....knew what ya menat... :-)

Re: Split DNS and HTTPS "Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname[ at ]hotmail.com> 11/12/2008 2:33:30 AM In news:e60Tjb3QJHA.4492[ at ]TK2MSFTNGP06.phx.gbl, Phillip Windell <philwindell[ at ]hotmail.com> requesting assistance, typed the following: [Quoted Text] >> Sorry Phillip. :-) > > ...knew what ya menat... :-) :-)