Re: Disabling Win.Integrated Auth for OWA
From: Rich Matheisen [MVP] (richnews_at_rmcons.com.NOSPAM.COM)
Date: 10/22/04
- Next message: Rich Matheisen [MVP]: "Re: Ex2003 Offline Defrags"
- Previous message: Wayne: "Re: Dumb Exchange OWA Question"
- In reply to: Rich Roller: "Re: Disabling Win.Integrated Auth for OWA"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 21 Oct 2004 23:34:19 -0400
"Rich Roller" <rich@*REMOVE-THIS*r2c.com> wrote:
[ snip ]
>> >Eventhough BASIC AUTH - default domain was entered in 3 VD's
>> >(Exchange, ExchWeb, Public) it still required user to enter
>their
>> >name in "domain\user" format.
>>
>> And you've made sure that the "Default domain" on the VD is
>correct?
>> Using basic authentication doesn't mean that you can get by
>without
>> having a default domain. :)
>
>Yes of course. And I think it's proved by forcing Basic-only and
>no domain name need be typed, right?
Yes, but above you said that it WAS necessary. :)
>> >They had both Basic & Windows Integrated enabled and so I
>DISABLED
>> >WIN.INTEGRATED and now it works fine! They can simply enter
>> >"user" without domain name.
>>
>> Good. That's the way it's supposed to work.
>>
>> >My questions about this are:
>> >
>> >1. Are there any downsides to disabling Win.Integrated that I
>> >should be considering? e.g. less security/encryption?
>>
>> Not if you use SSL.
>
>But of course they are NOT.
Well, then the downside is the possibility of compromising the user
account. How great that risk is can only be judged by the people
making the decision to use an insecure channel.
>> >(Note: They are running with Forms-based-auth disabled. They
>also
>> >run NO SSL so their Basic auth passwords are not encrypted)
>>
>> That's not smart. You can even use self-issued certs if you have
>a
>> small number of clients.
>
>That's what I'm trying to gently convince them of. This customer
>tends to put security near the bottom of their list whereas I put
>it near the top.
Look at it as an opportunity for an "up sell" after they've been
compromised. :)
>Any ammo or horror stories you could share that might help?
Nobody I now publicizes how they've been compromised. But there are so
many other, easier, ways to get a usable password that it's hardl
worth the effort to get that information from a network sniffer.
>One last thought. If Win.Integrated is enabled then that's doing
>encryption of some sort or another, right?
Only of the password. The password isn't ever transmitted with
Integrated authentication. Only a computed valued is passed between
the two.
>If they don't want to
>spring for SSL/certificates, might there be some other way to
>slice this, i.e. keep Win.Integrated but force it to use a default
>domain value?
As I said, if the number of clients is small, use self issued
certificates. The IIS ResKit as a tool, selfssl, that'll do that for
you.
-- Rich Matheisen MCSE+I, Exchange MVP MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
- Next message: Rich Matheisen [MVP]: "Re: Ex2003 Offline Defrags"
- Previous message: Wayne: "Re: Dumb Exchange OWA Question"
- In reply to: Rich Roller: "Re: Disabling Win.Integrated Auth for OWA"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
