Re: Disabling Win.Integrated Auth for OWA

From: Rich Roller (rich_at_*REMOVE-THIS*r2c.com)
Date: 10/21/04 

Date: Thu, 21 Oct 2004 15:24:07 -0400

Hi Rich,

Nice hearing from you again! See in-line below...

"Rich Matheisen [MVP]" <richnews@rmcons.com.NOSPAM.COM> wrote in
message news:h4qfn0tq05stiipssp6lgg2nd0p58fso00@4ax.com...
> "Rich Roller" <rich@*REMOVE-THIS*r2c.com> wrote:
>
> >Eventhough BASIC AUTH - default domain was entered in 3 VD's
> >(Exchange, ExchWeb, Public) it still required user to enter
their
> >name in "domain\user" format.
>
> And you've made sure that the "Default domain" on the VD is
correct?
> Using basic authentication doesn't mean that you can get by
without
> having a default domain. :)

Yes of course. And I think it's proved by forcing Basic-only and
no domain name need be typed, right?

> >They had both Basic & Windows Integrated enabled and so I
DISABLED
> >WIN.INTEGRATED and now it works fine! They can simply enter
> >"user" without domain name.
>
> Good. That's the way it's supposed to work.
>
> >My questions about this are:
> >
> >1. Are there any downsides to disabling Win.Integrated that I
> >should be considering? e.g. less security/encryption?
>
> Not if you use SSL.

But of course they are NOT.

> >(Note: They are running with Forms-based-auth disabled. They
also
> >run NO SSL so their Basic auth passwords are not encrypted)
>
> That's not smart. You can even use self-issued certs if you have
a
> small number of clients.

That's what I'm trying to gently convince them of. This customer
tends to put security near the bottom of their list whereas I put
it near the top.

Any ammo or horror stories you could share that might help?

One last thought. If Win.Integrated is enabled then that's doing
encryption of some sort or another, right? If they don't want to
spring for SSL/certificates, might there be some other way to
slice this, i.e. keep Win.Integrated but force it to use a default
domain value?

-Rich

Relevant Pages

  • Re: Disabling Win.Integrated Auth for OWA
    ... >it still required user to enter their ... Using basic authentication doesn't mean that you can get by without ... Not if you use SSL. ... MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm ...
    (microsoft.public.exchange.admin)
  • Re: logon required occasionally
    ... I have one Internet site that I access that uses SSL. ... If you are running Basic Authentication without SSL you should in any case ... > Noone doesn't like the possibility that session may be have left open even ... > May be there is some server side scripts to take care of session ending? ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Sharepoint Across the Internet
    ... Generally in this scenario you use basic authentication with SSL. ... (Assumes you are asking for SharePoint Team Services 1.0 which is this ... > What do I need to do to get the server available to our users in another ...
    (microsoft.public.sharepoint.teamservices)
  • Re: Looking for Subversion server-side SSH key manager
    ... Basic authentication is a different issue. ... since "encryption with publicly known key" is no ... to not storing password at all. ... I'm talking about system accounts. ...
    (comp.os.linux.security)
  • Re: IPSEC Certificate
    ... That is Basic Authentication and FTP ... Just the MS Dialup component by itself uses by default CHAP, MS-CHAP, or ... L2TP uses an additional layer of encryption on top of that, ...
    (microsoft.public.isa.vpn)