Hi all,
I've been handed an issue that has multiple components/technologies to it but I think the issue has come down to authentication on a website that is being set up. I'm pretty green with IIS and web dev and work in a different field usually so please bare with me! :)
We have an domain internal server with IIS 8.5, it hosts a website for an application that was developed by an 3rd party and it works for internal domain users, they just open the website and go straight through to the app. This is set up withWindows Authentication. Any user that accesses this website has an Active Directory account.
This webpage is also supposed to be accessible from the internet so there is a Threat Management Gateway server in the DMZ that is used to take requests for this website (when accessed externally) and this was set up withWindows Authentication as well.
So from the internet, a user would hit the website address, (which would hit the TMG server first) they would be presented with a Pop up box to log in (Windows Authentication), they would enter the creds and then be passed through to the website without any problems.
A requirement came up for external users to be able to change their password when logging in, something that isn't possible when using Windows Auth at the TMG. So the TMG point was changed toForms Authentication so we were able to get that option for changing passwords.
Now, when external users try to log in they get a message saying “You do not have the permissions required to access this website. Please contact the Web site administrator” This is coming from the TMG. If I enter a random invalid user then an error comes back saying “You could not be logged on to Forefront TMG. Make sure that your domain name, username, and password are correct, and then try again"
This makes be believe that it is authenticating to AD fine.
TMG > IIS server
WA > WA = Works fine
FA > WA = No work :(
So the first thing that I question is, as we have Forms Authentication at the TMG then Windows Authentication at the website, is that just not going to work for external users? Is there something extra that I have to configure at the website end for authentication?
Thanks!