IIS Windows Authentication weirdness

Question

I have a web server with two websites: a & b.
a is production.

b is testing/staging.

Whoever wrote these apps before me relies on

Request.ServerVariables("LOGON_USER") 

which is assigned when the user authenticates against the server via Windows Authentication. On a, this works great, on b there's some weirdness:

I get my login prompt, but i can't use [domain]\myusername to login, I can do it with \\myusername though, same passwords (AD based). The IIS configs are identical as far as I can tell, the only inconsistency is a DNS CNAME pointing from a.domain.com to b.domain.com. Changing that DNS record to point at the IP fixed the problem, but I'm trying to understand what was going on.

Previous DNS record: b.domain.com > a.domain.com

Working DNS record: b.domain.com > 10.0.x.131

It should've been b > a > regular windows authentication, but for some reason I found myself using \\ , is it tacking on the domain name twice or something? And what exactly is \\ in regards to authentication?

Make sense?

Answer 1

A few thoughts.

• Which specific version of the OS is your server running under? Microsoft in particular tends to have somewhat different behaviors across different versions, and the documentation is version-specific

• It's difficult to answer "what's going on" questions because there's no way to be sure what's correct. I can toss out hypotheses (and will), and if you could phrase the question as a "how do I fix this" rather than a "what's going on" you could check if I'm right and respond, probably having acquired a bit more pertinent data along the way.

• This sounds like it's more about deep system administration understanding than programming understanding - if you don't get what you need here, you might have better luck asking on serverfault.

That having been said, in the absence of other information, the "\" most likely results from one of two things.

It's possible that you have two different parts of the code that each adds a '\' on. Domain Names are in many cases valid both with and without the trailing '\'. Thus, it's quite possible that windows authentication adds one immediately after domain names and before login ids in order to ensure the separation between the two. If your DNS CNAME lookup is automatically adding one at the end of the domain name for similar reasons, the two might stack.

It's possible that somewhere in the DNS process the domain may have gone through a converter to change control characters into escape characters (as a way of avoiding certain security exploits). '\' is used as the basis of such escape characters, and thus requires an escape character of its own ('\').