Default Domain setting only applies when using Basic Authentication

I had a case yesterday where my customer was complaining that the Default Domain setting wasn’t working for him. For those of you who may not be aware, this setting allows the site admin to set the default domain users will be authenticated against when using Basic Authentication. This provides a nice shortcut for users of the site, so that they are not forced to type in, or for that matter remember, the domain that their user account exists in. 

In the case of my customer, they were accessing a SharePoint site and wanted to use the same URL for both internal and external users. The problem with this approach was that for internal users, they wanted to use Windows Integrated authentication to prevent them from having to enter credentials to access the site. Within IIS the customer had both Windows Integrated and Basic Authentication enabled. When my customer tried to access their site from outside their network, they were prompted for credentials (as expected) but entering only the username and password simply resulted in the dialog box being redisplayed with the DNS domain name pre-pended to the username. The customer wanted to know why the correct “Default Domain” wasn’t working.

In this case the customer was using IE as the browser. As you may have already guessed, the issue wasn’t with the Default Domain not working but the authentication method that was being used. IE will always select Windows Integrated over Basic when both are enabled for a site, so in this case the customer thought he was using Basic but was actually using Integrated. Since the Default Domain setting only applies to Basic, the customer was not able to log on only using the username and password.

My suggestion to the customer was to set up a second virtual directory or site for his internal users and point it to the same content and set the authentication to Windows Integrated and then remove Windows Integrated from the external site. The only caveat here is that you would have two different URLs to remember (unless you used some sort of proxy).

 HTTP/1.1 200 OK

Comments

  • Anonymous
    August 09, 2007
    Beyond needing SSL to take care of passwords being sent in clear text, is there any real issue with shifting to ONLY Basic Authentication (we're on a full Windows domain, but I'm trying to help users out so that they don't need to type the DOMAIN all the time)? Thanks, Neal

  • Anonymous
    August 10, 2007
    Hi Neal: The only thing to keep in mind is that using Basic Authentication with SSL will incur a performance hit due to the encryption/decryption that must take place.  Also, IIS calls LogonUser and ImpersonateLoggedOnUser for each request, which is pretty expensive in terms of CPU cycles. Good Luck!