The Problems

IIS server is on domain A.

• Problem 1.
  User accounts are on domain A. Users access the site from a network outside the domain, with no domain trusts established.
• Problem 2.
  User accounts are on domain B. domain A trusts domain B and users accounts are in security groups on B.  Again, access to the site is from outside of domain A and B, with not trust from either.

Practical notes

Install Role Services from the Server Manager > Roles. These are Security role services.   Authentication is then configured from the Authentication applet in IIS manager, for site, folder or indeed server.

First Attempt.  Use Digest Authentication

This solved Problem 1 but not Problem 2.

User the server manager, IIS, Role Services. Locate and enable Security > Digest Authentication. No server restart is needed but IIS Manager has to be restarted for this method to appear in the Authentication Applet.

Set status to Enabled. Response Type is  HTTP 401 Challenge.

Second Attempt. Use Windows Authentication

This solved both problems despite the Role Service description stating specifically it was not for use across firewalls or proxy servers.

Add the Windows Authentication Role Service.   Enable kernel-mode authentication.  Use providers NTLM and Negotiate (in that order).   Set status to Enabled.

Configure Authentication in Web.Config

required for either authentication method.

<authentication mode=”Windows”/>
<authorization>
<allow users=”DOMAIN\username” />
<allow roles=”DOMAIN\securitygroup”/>
<deny users=”*”/>
</authorization>

Identity impersonation is not required, unless it is needed for controlling other access rights.  ( <identity impersonate=”true” /> requires the Classic application pool.  That in turn requires enabling .Net 4 ISAPI & CGI extensions – enabling on the IIS parent node is sufficient.)

References

This was quite useful http://manual.aspdotnetstorefront.com/p-1614-enabling-windows-authentication-in-iis7.aspx