J2ee security newbie: integrated authentication help

Similar Messages

• J2ee security newbie: integrated authentication question

  I am trying to build a set of JSPs/servlets that require authentication and probably authorization. The jsp / sevlets should be able to authenticate against any underlying password system, or should cope with most common systems such as win2k / unix etc. I do not want to force the organisation to build a new database of users / passwords or to type in passwords in clear text in xml files.
  I would preferably like to use form-based authentication to avoid Http basic clear text password sending. This will also allow me to custmize the UI of the login screen.
  The solution should not be container specific. or at least the containers (tomcat + webspehere) should allow for it in their own way.
  After a lot of reseasrch on the web, I cant seem to find an accepted way of doing this. I would like comments on the choices I have made so far and the choices I should be making. Any links to reading material would be helpful. I would like to understand which lower level technologies to depend upon eg LDAP / Kerberos etc. Any help will be appreciated
  TIA,
  Zdz

  I would preferably like to use form-based authentication to avoid Http basic clear text password sending.
  This will also allow me to custmize the UI of the login screen. form based auth is just like basic auth. Both is sending userid and password in clear text. basic auth sends it base64 encoded in the http header. Form based auth sends it in the http message body.
  /Bo
  http://appliedcrypto.com

• Windows Integrated Authentication Help From Middle Tier

  We are trying to enable single sign-on using Windows Integrated Authentication so that the user does not have to enter a username or password, they just get logged in automatically. I created the current Oracle account on the database and it works just fine when I try to connect from my local computer to the database. Our problem is that our application calls an application that runs as a Windows services on the middle tier, and so it gets an invalid username/password error. I can see in the audit logs that it is trying to connect to the database as NT AUTHORITY\ANONYMOUS LOGON.
  The client, middle tier, and database are all Windows based operating systems. The applications is a .Net application and we turned on Impersonation which we read will help pass the client OS user to middle tier so that the application runs as them. And that appears to be working correctly. Again we can get this working when we host the windows service locally, it just wont work when it is hosted on the middle tier. Any ideas how to get this to work?
  Oracle version 11.2.0.2 and 11.2.0.3
  Windows Server 2008 R2

  Hi, jeff81.
  I had same problem with Win2003 server. Try this:
  Start -> Settings -> Control Panel -> Administrative Tools -> Services
  then select "PROPERTIES/LOGON" for necessary service.
  Change "Local System account" to your user account.
  Make sure that user account have necessary grants.
  ps. sorry my poor english :(

• Custom Policy vs. J2EE Security

  Hi there, Java Security architecture gurus,
  I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
  The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
  I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
  I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
  Thanks,
  Christoph

  Chris,
  There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
  http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
  In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
  // If the permission is not found here then delegate it
  // to the standard java Policy class instance.
  java.security.Policy policy = java.security.Policy.getPolicy();
  return policy.getPermissions(codeSource);
  Hope this helps.

• How to find solution for avoiding WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product

  HI All,
  We are using Oc4j version 10g 10.1.3 , and while starting conatiner  getting below warning , let me know if anyone have solution for this,.
  14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
  Please take the appropriate actions to migrate to an alternative strategy! **********
  2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
  of this product!

  I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
  So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
  Anyhoo, while I was in the BIOS I found two things which I had questions about :
  1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
  2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
  I will edit this post and let you know exactly what settings were present under the Virtualization sub-section.

• Windows Integrated Authentication on an ABAP data source

  Dear Experts,
  I have to implement Windows Integrated Authentication in my portal. By using Kerberos & SPNEGO, we can implement very easily if portal user id & windows (ADS) user id is same. But my scenario is windows id & portal id is different & data source is already configured as ABAP. Can you suggest me how we can achieve this requirement.
  Regards,
  VENU

  Hi,
  isnt the property krb5principalname used to define the mapping of the user ID when you cannot use the AD standard samaccountname?
  I think that the mapped user ID (as provided by krb5principalname) must be identically with the ABAP userID. When the ABAP user ID isn't present in the LDAP information, SSO won't be possible. Somehow he needs to publish the ABAP user ID into the AD.
  SAP Help:
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c363ac31e30f3e10000000a11466f/frameset.htm
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c3725aeaf30b4e10000000a11466f/frameset.htm
  br,
  Tobais

• Network security:LAN manager authentication level setting on GPO

  Hi,
  We have a requirement from project team to change the one of the security setting on default domain policy for all computers in domain. Below are the security setting which we need to modify.
  computer configuration-->windows settings-->security settings-->local policies-->security options-->
  Network security: LAN manager authentication level 
  this setting need to be changed to - Send LM & NTLM - use NTLMv2 session security if negotiated.
  The project team facing issue with Apache web server and they found the solution on below link.(we have tested this  by changing local group policy and this solution works as expected)
  https://www.sysaid.com/Sysforums/posts/list/9065.page 
  We need to know what is the impact after enabling this on domain computers.
  Need help on this to go-head on this.

  Hi,
  you have a weaker domain security overall. "
  LM Hash Generation 
  The algorithm introduces several weaknesses that attackers can exploit. First, all lowercase characters are set to uppercase, reducing the number of possible characters. Second, it splits a long, strong, password into two seven-character chunks.
  Both the LM and NTLM protocols operate essentially the same way; the only difference is the password hash.
  REF: The Most Misunderstood Windows Security Setting of All Time
  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

• Adobe PDF/Acroforms & Digital signatures/Integrity/Authentication/Non repudiation

  Hi folks,
  I have been investigation the feasibility of using PDF as a customer-facing data collection mechanism, starting with Acroforms for a pilot, initially at least (we may consider XFA/Livecycle in a later phase).
  I've got a demo application up and running using the FDF toolkit, presenting PDF forms to the web user, collecting and processing/storing the collected data etc.
  My question is around how this process can be secured.
  (Q1) (This may be strictly a web dev question, please ignore if considered not relevant here) : If the web application communicates over HTTPS, then the conversation between client & server is secure (encrypted at least, so that others cant sniff the content?) - but it does not necessarily authenticate the end user to the server?
  (Q2) If we wish to ensure that the FDF data Submitted from the PDF form (via submit button to an ASP.NET url) is (a) known to be authentic from a particular known user, and (b) signed in some way to be non-repudiatable ... how can be do this with FDF ? If we re-generate a flat PDF document from the data they entered, is there any digital signature mechanism that can be employed for the public end-user to "sign" the PDF document in a manner that ensure Integrity/Authentication/Non repudiation ?
  any pointers to Adobe or Third party toolkits, products etc. ?
  best regards & thanks,
  Aidan.

  Q1. That's right. But if the form includes fields for a username/password, this could be sent along with the rest of the data and used to authenticate the user. Or you could use other common means, but as you said, this has nothing to do with Acrobat.
  Q2. FDF can contain digital signature data. So the form would have to contain a signature field and the user would have to sign it. Assuming a self-signed signature, it's up to you whether to trust such a signature. The signed PDF is constructed from the original PDF that was served by concatenating the appended saves contained in the FDF. You can then validate the signature.
  George

• SSRS and SharePoint Integration Authentication Issue

  We recently turned on SSRS for our SharePoint 2010 Test Environment.  We are using an account that has rights to SharePoint as a site collection administrator, the feature is enabled on the site collection and site level, it has access to the SQL instance
  to pull the reports.  The report config file specifies NTLM authentication.  It acts as if it will configure and goes through the SP Central Administration steps successfully.  When I try to deploy a report, I receive the following error:
  Exception encountered for SOAP method GetSystemProperties: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.     at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SetConnectionProtocol()    
  at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SoapMethodWrapper`1.ExecuteMethod(Boolean setConnectionProtocol) 1afe9dfd-9846-4194-bddf-fcb0ded634be
  06/14/2012 15:37:43.03  w3wp.exe (0x1E78)                        0x1754 SQL Server Reporting Services  SOAP Client Proxy            
   0000 High     Exception encountered for SOAP method GetSystemProperties: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.     at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SetCo
  If I turn on trusted accounts, it works, but then it argues when the report loads because our reports use windows integrated authentication.  We would prefer to have windows integrated authentication to control who can see reports by their
  login name.  Any ideas?  I feel like I have exhausted options.

  Can you please elaborate on how to avoid using Kerberos and use the Secure Store to access our external SQL data? In our test environment, we have SharePoint 2013 Ent, SQL 2012 Ent. I am trying to use PowerView to access a Direct Query data model created
  in SSAS tabular mode. My connection from SharePoint to the model is successful but fails with a reporting service error:
  Cannot create a connection to data source 'EntityDataSource'.
  <detail><ErrorCode xmlns="rsErrorOpeningConnection</ErrorCode><HttpStatus">http://www.microsoft.com/sql/reportingservices">rsErrorOpeningConnection</ErrorCode><HttpStatus xmlns="400</HttpStatus><Message">http://www.microsoft.com/sql/reportingservices">400</HttpStatus><Message
  xmlns="Cannot">http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'EntityDataSource'.</Message><HelpLink xmlns="http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsErrorOpeningConnection&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3000.0</HelpLink><ProductName">http://www.microsoft.com/sql/reportingservices">http://go.microsoft.com/fwlink/?LinkId=20476&amp;EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&amp;EvtID=rsErrorOpeningConnection&amp;ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&amp;ProdVer=11.0.3000.0</HelpLink><ProductName
  xmlns="Microsoft">http://www.microsoft.com/sql/reportingservices">Microsoft SQL Server Reporting Services</ProductName><ProductVersion xmlns="11.0.3000.0</ProductVersion><ProductLocaleId">http://www.microsoft.com/sql/reportingservices">11.0.3000.0</ProductVersion><ProductLocaleId
  xmlns="1033</ProductLocaleId><OperatingSystem">http://www.microsoft.com/sql/reportingservices">1033</ProductLocaleId><OperatingSystem xmlns="OsIndependent</OperatingSystem><CountryLocaleId">http://www.microsoft.com/sql/reportingservices">OsIndependent</OperatingSystem><CountryLocaleId
  xmlns="1033</CountryLocaleId><MoreInformation">http://www.microsoft.com/sql/reportingservices">1033</CountryLocaleId><MoreInformation xmlns="<Source>Microsoft.ReportingServices.ProcessingCore</Source><Message">http://www.microsoft.com/sql/reportingservices"><Source>Microsoft.ReportingServices.ProcessingCore</Source><Message
  msrs:ErrorCode="rsErrorOpeningConnection" msrs:HelpLink="http://go.microsoft.com/fwlink/?LinkId=20476&amp;EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&amp;EvtID=rsErrorOpeningConnection&amp;ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&amp;ProdVer=11.0.3000.0"
  xmlns:msrs="Cannot">http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'EntityDataSource'.</Message><MoreInformation><Source>Microsoft.AnalysisServices.AdomdClient</Source><Message></Message><MoreInformation><Source>mscorlib</Source><Message>Access
  is denied.
  </Message></MoreInformation></MoreInformation></MoreInformation><Warnings xmlns="http://www.microsoft.com/sql/reportingservices" /></detail>

• SOAP and J2EE security

  We have deployed several SOAP services (Apache SOAP) on a WLS6.1
  server. Since there are more and more services are being deployed
  people are getting worried about security. I was wondering what the
  best solution was to to authentication and authorization on EJB and
  method level for SOAP clients ? I was thinking about the following
  solution: use the standard J2EE security by defining security
  constrainst in the ejb-jar.xml file. Therefor every client needs to
  provide credentials to use the EJB's (this should work for both
  RMI/IIOP and SOAP clients).
  What are your ideas and opinions about this solution ?
  If you post a reply please CC to [email protected]

  Hi,
  Let me know if you find answer of your question.
  thanks

• Error with integrated authentication (sql server)

  Hi,
  I need to connect Lumira 1.23 with sql server instances (of sql 2008 and 2012). In this case I need to use windows users and it seems there is a problem with the integrated authentication.
  In some blogs and articles I have seen that the sqljdbc_auth.dll file has to be copied in one or more folder but I haven't clear this point.
  Can anybody help to fix the problem?
  Thanks in advance.
  Regards.

  I am very new to SQL Server and I am trying to access sql server from my .net web application. The environment is Windows 8 and SQL Server  2012 
  I have tried some of the blog solutions but could not open SQL Server Configuration tool in windows 8.
  Hi Sraven,
  According to your description, SQL Server Configuration Manager is a snap-in for the Microsoft Management Console program and not a stand-alone program, SQL Server Configuration Manager not does not appear as an application when running Windows
  8. To open SQL Server Configuration Manager, in the Search charm, under
  Apps, type SQLServerManager11.msc (for SQL Server 2012) or
  SQLServerManager10.msc for (SQL Server 2008), and then press Enter.
  In addition, there is a similar issue about connect .NET4.0 C# application to SQL Server 2012 database, you can review the following article.
  http://visualstudiomagazine.com/articles/2013/11/01/hooking-aspnet-apps-into-sql-server-2012.aspx
  Regards,
  Sofiya Li
  If you have any feedback on our support, please click here.
  Sofiya Li
  TechNet Community Support

• WebLogic 10gR3 and Windows Integrated Authentication

  Hi:
  I have an intranet web application running on WebLogic 10gR3 and would like to make use of the Windows Integrated Authentication (SSO, SPNEGO, Active Directory) so that the intranet users don't have to log in to access the web application.
  In weblogic, I've managed to create an ActiveDirectoryAuthenticator and can see all the users and groups from Active Directly. Also created a NegotiateIdentityAsserter with both WWW-Authenticate.Negotiate and Authorization.Negotiate options.
  When I set the web.xml login-config to BASIC, the browser shows the login dialog and authentication happens through AD. I've changed the login-config to CLIENT_CERT as suggested by the documentation:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>but I'm getting the following error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a
  WWW-Authenticate header field (section 14.46) containing a challenge
  applicable to the requested resource. The client MAY repeat the request
  with a suitable Authorization header field (section 14.8). If the request
  already included Authorization credentials, then the 401 response indicates
  that authorization has been refused for those credentials. If the 401
  response contains the same challenge as the prior response, and the user
  agent has already attempted authentication at least once, then the user
  SHOULD be presented the entity that was given in the response, since
  that entity MAY include relevant diagnostic information. HTTP access
  authentication is explained in section 11.Help is highly appreciated
  Albert
  Edited by: albertattard on Jul 13, 2009 3:40 PM
  Edited by: albertattard on Jul 13, 2009 3:42 PM

  Hi:
  I have an intranet web application running on WebLogic 10gR3 and would like to make use of the Windows Integrated Authentication (SSO, SPNEGO, Active Directory) so that the intranet users don't have to log in to access the web application.
  In weblogic, I've managed to create an ActiveDirectoryAuthenticator and can see all the users and groups from Active Directly. Also created a NegotiateIdentityAsserter with both WWW-Authenticate.Negotiate and Authorization.Negotiate options.
  When I set the web.xml login-config to BASIC, the browser shows the login dialog and authentication happens through AD. I've changed the login-config to CLIENT_CERT as suggested by the documentation:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>but I'm getting the following error:
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  The request requires user authentication. The response MUST include a
  WWW-Authenticate header field (section 14.46) containing a challenge
  applicable to the requested resource. The client MAY repeat the request
  with a suitable Authorization header field (section 14.8). If the request
  already included Authorization credentials, then the 401 response indicates
  that authorization has been refused for those credentials. If the 401
  response contains the same challenge as the prior response, and the user
  agent has already attempted authentication at least once, then the user
  SHOULD be presented the entity that was given in the response, since
  that entity MAY include relevant diagnostic information. HTTP access
  authentication is explained in section 11.Help is highly appreciated
  Albert
  Edited by: albertattard on Jul 13, 2009 3:40 PM
  Edited by: albertattard on Jul 13, 2009 3:42 PM

• Error :Authorization check for caller assignment to J2EE security role whil

  Hi Experts,
               i m working as a portal resource .
  after the deployment of standered Sap e-rec package .
  i m getting some error. i have assigned the recruiter role to one test user.
  Now i m getting two issue:
  1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
  2) I m able to see few iview for the test user but those are also in detailed navigation view.
     And few ivews are giving following error :
    i)Internal error
  ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  /System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
  Full Message Text
  ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  please suggest what can be  done or what is pending from my side.

  Prajakta2602 wrote:
  Hi Experts,
  >
  > the previous issue got solved..
  > it was due to servies pack miss match and applying notes
  > the Basis guy  checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
  > notes 1445294 and 1175239 were applied.
  > now the issue is:
  >
  >
  >  After implemetation and  i assigning the standerd sap roles
  > 1)Recruiter Administrator
  > 2)Recruiter
  > to the test user .
  > but for few iview it is showing error as in
  > 1) you are not a authorized user
  > 2) internal error
  >
  > please help experts.
  >
  >  i m working on portal side have i to assign any role to that test user..
  >
  >
  > Thnaks & Regards,
  > Prajakta
  You can run a quick check using the below steps:
  1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
  2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
  Regards,
  Mahesh

• Exchange 2013 CU1 Outlook Web App LogOff with Basic or Windows Integrated Authentication

  Hi all,
  Exchange 2013 CU1 has a new OWA LogOff behaviour when Basic or Windows Integrated Authentication is configured. When clicking the LogOff Button you receive the message "Close All your Browser Windows.." but OWA does not sign out. This is not the
  case when using Formbased Authentication...
  The problem in our case is the OWA publishing over the Internet via TMG. When publishing via TMG, only Basic and NTLM authentication is supported. This means you have to change the Authentication for the OWA Virtual Directory to basic or Windows Integrated.
  OK so far, now we can use the TMG Authentication Form. but... TMG is not able to Catch the OWA LogOff. So we will still receive "Close all your Browser Settings.." and no log out from OWA.
  It is a known issue that TMG cannot catch the OWA Logoff with the Exchange 2013 CU1 Release..So my Question:
  Does anyone get that "Real LogOut" fixed via TMG or directly on the CAS Server for Exchange 2013 CU1?
  I know another possibility is to activate Form Based Authentication on the CAS Servers and external users directly authenticate against the CAS Server without pre-authentication at TMG Level, but this of course does not provide the highest security
  we can have.

  Hi SLShare,
  As far as I know, if there is no TMG involved, with Exchange 2013 when the user signs out of mail, the authentication tokens are cleared and the user will be presented with the
  Login Screen.  There will not be a need to click on "Close Window" or any other pop ups that may appear.
  Therefore, you may ask the TMG forum about this question and see whether there are still some other workaround we can temporary bypass this issue. For your convenience:
  Forefront TMG and ISA Server Forum - TechNet - Microsoft
  http://social.technet.microsoft.com/Forums/forefront/en-US/home?forum=Forefrontedgegeneral
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• IE Integrated authentication not working with Windows 2003 clients

  Hi,
  I have a website on a windows 2008 R2 server on IIS. It is accessible through the Windows 7/windows 2008 internet explorers with integrated authentication. when the same user logged in a windows 2003 server and try to open this site, popping up the username/password
  prompt. Even if giving the right username/pw, it doesnt accept.
  IE integrated authentication is enabled in the client. Is there any restriction in windows 2003/xp clients to use integrated authentication on a site published in IIS7 over a windows 2008?
  Thanks for any help.

  This may help
  http://forums.iis.net/t/1167697.aspx?Making+Windows+Authentication+work+on+IIS7+it+worked+on+IIS6
  Generally www.iis.net is a good place for solving similar task and problems.
  Regards
  Milos