Re: Windows Authentication question

From: Nicole Calinoiu (calinoiu)
Date: 03/24/05 

Date: Thu, 24 Mar 2005 10:13:19 -0500

"Natan" <nvivo.misc@mandic.com.br> wrote in message
news:uA3vo$HMFHA.3960@TK2MSFTNGP12.phx.gbl...
<snip>
> About the reasons, first because we want the user to be able to login with
> his username when there is no windows authentication,

That's still possible even if you use integrated Windows authentication. If
the browser doesn't pass the correct credentials (either because it's
configured not to pass the client user credentials or because the client
user isn't acceptable to the server), the user will be presented with a
logon dialog by the browser. In addition, if you are concerned about
supporting non-Windows clients, you could enable multiple authentication
modes (e.g.: Windows integrated and basic) in IIS.

> second, we don't want an user to have access to our intranet just because
> a computer is turned on.

A couple of problems here:

1. The user presumably already has at least some access to your file,
database, e-mail, print, etc. servers. Is intranet access somehow an even
worse risk than accessing these other resources?

2. Users will likely be able to instruct their browsers to cache their
credentials even when logging in via an HTML form, so you won't be gaining
any real protection by using a forms-based approach.

>
> Thanks...
>
> BTW: answering a post just to ask why someone is doing that is annoying.
> Comments are welcome, but answer the question first then make your
> comment.

Relevant Pages

  • Re: Windows Authentication question
    ... That's still possible even if you use integrated Windows authentication. ... configured not to pass the client user credentials or because the client ... logon dialog by the browser. ...
    (microsoft.public.dotnet.security)
  • Re: How to terminate client logon? session.abandon not working?
    ... intrusive (and wouldn't we have to close ALL browser windows). ... client in a time where many viruses and spyware components are also trying ... >> How do we terminate the authentication and force the user to logon ... The browser caches the client credentials locally. ...
    (microsoft.public.inetserver.iis.security)
  • Re: setting security
    ... I had to delete client project and build it again. ... I'd also tried to send credentials to web service, ... SQL Server resides on same server as web server and you are ... >> You need to set the application to use Windows authentication. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: revoke Windows authentication credentials for a session
    ... The user credentials are being cached by the client browser, not by IIS. ... >I am writing a web app that uses windows authentication. ...
    (microsoft.public.dotnet.security)
  • Re: Reverse Proxy Cross Site Scripting
    ... > the browser will load the page from the attacked web site and attempt to ... It will enable the attacker to access ... you lured the client to ... you won't be able to access his/her credentials. ...
    (Bugtraq)