I built an INTRANET ASP.NET website for which authentication is set to "integrated windows authentication" and in authorization section of web.config, I have specified the AD groups (domain\groupname) to restrict the access to only to the members of those AD groups. multiple AD groups are specified in web.config (domain1\group1, domain2\group2 etc). now this works fine for users of one domain1 (where it is hosted), but for users of another domain (domain2), they get a prompt to enter their windows credentials and if they enter it, then it works and they can access the site without any problem. but I would like to avoid this login prompt, because I granted access to groups of both domains. why are they getting this prompt and is it possible to suppress it? do I need to configure something in IIS or web.config for it? Thanks in advance.
Cross domain integrated windows authentication in IIS for ASP.NET intranet website
asp.netauthenticationiisSecurityweb.config
Related Solutions
The two domains need to have a trust relationship created (if they are part of the same forest that should already exist), then there may be a need to configure some delegation (talking AD stuff here not .NET).
The authentication between client and server must use negotiate and kerberos, which in turn means clocks need to be with in 5 minutes of each other, again this shouldn't be a problem when both domains belong to the same forest.
The answer by baldy below is correct, but you may also need to enable 32-bit applications in your AppPool.
Whilst setting up an application to run on my local machine (running Vista 64bit) I encountered this error:
Could not load file or assembly
ChilkatDotNet2or one of its dependencies. An attempt was made to load a program with an incorrect format.
Obviously, the application uses ChilKat components, but it would seem that the version we are using, is only the 32bit version.
To resolve this error, I set my app pool in IIS to allow 32bit applications. Open up IIS Manager, right click on the app pool, and select Advanced Settings (See below)
Then set "Enable 32-bit Applications" to True.
All done!
Best Answer
I believe users in Domain2 can add your website, hosted in Domain1, to their list of Intranet Sites in Internet Explorer->Internet Options->Security->Local Intranet Zone. This zone should automatically log on with the current user name and password. You could make this an AD policy.