Re: avoid multiple IIS logins with NT Auth.
From: Craig (craigm_at_comcast.net)
Date: 03/08/05
- Next message: John Cesta: "Re: IIS Service unavilable - not even serving html pages"
- Previous message: giardina: "ASP problem"
- In reply to: David Wang [Msft]: "Re: avoid multiple IIS logins with NT Auth."
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 8 Mar 2005 08:40:07 -0500
Very well said, thank you.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:up5uJw5IFHA.2628@tk2msftngp13.phx.gbl...
> While you frame the issue as "how can I avoid multiple logins", the
> problem
> really has nothing to do with IIS. IIS is simply the middleman that
> performs
> the authentication and credential verification according to security
> protocols. You are responsible for choosing the right security protocol
> that
> has the usage model that you want.
>
> Basically, the problem comes down to "why should server B trust that
> server
> A logged in the user?" Suppose the user logs into server A and has some
> credential blob that represents the login. Two problems happen when the
> user
> access server B:
> 1. Why should user hand this credential blob to server B. As far as the
> user
> is concerned, the credentials are only good for server A
> 2. Why should server B trust this credential blob from server A
>
> Basically, when you configure the browser to "auto-login", you are
> changing
> browser behavior on #1 to always hand the credentials over to the remote
> server. When you put the two servers in the same domain, you make them
> trust
> the same domain controller and hence user credentials and alter behavior
> on
> #2.
>
> There are a lot of security concepts involved, and without going into too
> much detail, let's just say that the common existing authentication
> schemes
> do not securely support the sort of behavior you are asking for. Kerberos
> comes closest to giving you the usage model that you want, where the user
> obtains a ticket that specifies that access to server A and server B are
> allowed, and the user transmits the ticket to server A and server B who
> then
> verifies that the ticket is valid for use. Kerberos is enabled as a part
> of
> "Integrated Windows Authentication", which also includes NTLM (which does
> not support the usage model you ask about) as legacy support.
>
> Now, other authentication schemes like anonymous, Basic auth, and
> customized
> authentication can also support your usage model, but they tend to require
> custom code and custom authentication tend not to be secure (it is highly
> likely that most people that implement custom authentication protocols
> never
> went through training/courses for such design).
>
>
> So, a quick solution would be to configure the browser to auto-login user
> credentials -- the browser will automatically authenticate to server A and
> server B (both in the domain), and you should never see a password dialog.
> A more comprehensive solution requires that you understand security a bit
> more, choose a protocol like Kerberos, and configure delegation
> appropriately, and then things should securely happen without you needing
> to
> change browser configuration.
>
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "craigm" <craigm@comcast.net> wrote in message
> news:eVzE9K5IFHA.1228@TK2MSFTNGP10.phx.gbl...
> Lets say we have 2 IIS 5.0 web servers located in the same Win2k domain.
>
> A users connects to server A and logs into the site using NT Auth.
> The users is then redirected to a page on server B and is also prompted
> for
> a NT Auth login.
>
> How can I avoid multiple logins and keep our security on both servers?
>
> Thanks for you help,
> Craig
>
>
>
>
- Next message: John Cesta: "Re: IIS Service unavilable - not even serving html pages"
- Previous message: giardina: "ASP problem"
- In reply to: David Wang [Msft]: "Re: avoid multiple IIS logins with NT Auth."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
