Keeping internal users from getting routed to external web IP bnick22 10/3/2008 4:45:01 PM I have an intranet site using integrated authentication. The site is http://myserver/apps/signup. As long as internal users visit that URL, they're fine, and authentication works as expected. I'm also publishing this externally, so I have a public record for http://apps.acme.com/apps/signup. When external users visit that page, they are prompted to log in. All fine and good. (Although the users have to specify a logon domain by using user[ at ]acme.com, which they're not used to doing. If anybody knows how to configure DNS or IIS to fix that, that would be a bonus.) The problem is that I only want to publish one URL to my users for simplicity, so the external one is the only one I use. But when internal users visit http://apps.acme.com/apps/signup, they're prompted for credentials. I assume I need to add a new zone to my DNS server for acme.com and insert the A record for the internal IP address of the web server. Couple of questions: 1) Will that stop the internal users from getting prompted for credentials? 2) If I create a zone for acme.com and have only a single A record for apps.acme.com, will the users still be able to visit other subdomains like www.acme.com and customers.acme.com? Or will the DNS server simply say it has no A records for those subdomains on that zone, and simply refuse the requests?

Re: Keeping internal users from getting routed to external web IP "Anthony [MVP]" <anthony[ at ]no-reply.com> 10/3/2008 8:31:17 PM Brick, As far as DNS is concerned, you need to publish all records in an internal copy of the zone: www; customer. etc. whether the actual address is internal or external. Once you have an internal version you need to publish everything there. For auto-logon (not Integrated Authentication, which is something different), you need to add the site to Trusted Sites. Basically it is using the setting in IE that is a default for Trusted Sites, to pass through the current logged on user name and password. Obviously you would not want to pass this on to an untrusted site. Netbios names are assumed to be local and are therefore trusted, but FQDN names are not. For external users, you should be able to set the default domain, in IIS properties of the web site. This will enable users to enter user name without the domain suffix. Hope that helps, Anthony http://www.airdesk.com "bnick22" <bnick22[ at ]discussions.microsoft.com> wrote in message news:A83A6CAA-CD74-44DF-B35B-2D40D1DAD857[ at ]microsoft.com... [Quoted Text] > I have an intranet site using integrated authentication. The site is > http://myserver/apps/signup. As long as internal users visit that URL, > they're fine, and authentication works as expected. > > I'm also publishing this externally, so I have a public record for > http://apps.acme.com/apps/signup. When external users visit that page, > they > are prompted to log in. All fine and good. (Although the users have to > specify a logon domain by using user[ at ]acme.com, which they're not used to > doing. If anybody knows how to configure DNS or IIS to fix that, that > would > be a bonus.) > > The problem is that I only want to publish one URL to my users for > simplicity, so the external one is the only one I use. But when internal > users visit http://apps.acme.com/apps/signup, they're prompted for > credentials. > > I assume I need to add a new zone to my DNS server for acme.com and insert > the A record for the internal IP address of the web server. Couple of > questions: > > 1) Will that stop the internal users from getting prompted for > credentials? > 2) If I create a zone for acme.com and have only a single A record for > apps.acme.com, will the users still be able to visit other subdomains like > www.acme.com and customers.acme.com? Or will the DNS server simply say it > has > no A records for those subdomains on that zone, and simply refuse the > requests?