Re: LOGON_USER lifetime using NTLM

From: Conrad Chan (ConradChan_at_discussions.microsoft.com)
Date: 02/09/05 

Date: Wed, 9 Feb 2005 11:31:05 -0800

Thanks David,

That really explains a lot.

The problem we are having is that we are using mixed mode authentication in
ASP.NET, i.e. Windows and Forms. Once the user logins using NTLM, we then
issue a Form authentication cookie and then assume the user is logged through
form just like other set of users. Hence ASP.NET/IIS does not know it needs
to re-authenticate automatically.

I guess I will need to detect LOGON_USER is available or I have to force
ASP.NET to issue 401 back to browser manually.

Thanks again
Conrad

"David Wang [Msft]" wrote:

> NTLM authentication persists as long as the original authenticated
> connection between the client and server exists and the browser uses it to
> send requests to the server.
>
> In general, the browser will re-negotiate the authentication on its own
> (including NTLM challenge/response) if it is configured to do so -- so the
> user does not need to re-authenticate to a given website after the first
> login.
>
> Your problem sounds like that the web browser is UNABLE to automatically
> re-authenticate -- either because the browser is configured to not do this,
> or you have some intervening proxy that is unfriendly to NTLM that prevents
> this, or you've configured the server to not allow keep-alives which
> destroys NTLM.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Conrad Chan" <ConradChan@discussions.microsoft.com> wrote in message
> news:114A9AEE-F7CB-48AB-9235-6FF8EB6F8D6F@microsoft.com...
> The login session using NTLM seems like will be timeout as quick as 3min. I
> built a sample ASP.NET Web app using Windows authentication. I can login no
> problem. However if I simply let the browser window idle for 3min I realize
> the NTLM challenge/response will kick in again.
>
> Can anyone explain to me if that is the default behavior? Does that mean
> that my customers have to re-type their username/password after a couple
> mins
> if they are not auto-authenticated?
>
> Thanks for attention
> Conrad
>
>
>

Relevant Pages

  • Re: Substituting new Context.User.Identity for Authentication in SPS 2003
    ... MS SharePoint Portal Server does not perform authentication. ... MS SPS does perform authorization based on a Windows account presented ... Since SPS is accessed via a browser, ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Windows authentication in code
    ... With Windows auth, the browser actually ... If you aren't using Windows auth, the browser will not send authorization ... I guess that replicating Windows authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: NTLM authentication failure
    ... Windows NT 4.0 workstations. ... The NTLM protocol was the default for network authentication in Windows NT ...
    (microsoft.public.windows.server.general)
  • Re: auto authenticate
    ... Microsoft has done away with sending credentials via URL, for security ... unless you are using a browser with no patches after say 2 ... You can however, try cookie authentication, where you check the cookie for a ... > file that is placed in the windows scheduler. ...
    (microsoft.public.inetserver.asp.general)
  • RE: Substituting new Context.User.Identity for Authentication in SPS 2003
    ... Your focus regarding this issue is whether other browser doesn't pop up the authentication windows, so your web site will deny the access from ... This article "About Web browser support for Web Part Pages" of administrator guide lists two tables for us regarding the support info of several ...
    (microsoft.public.sharepoint.portalserver.development)
Quantcast