Re: access via login page rather than popup box
From: John Brennan (johnvbrennan_at_hotmail.com)
Date: 02/12/04
- Next message: wan: "Re: PDF icon on searched docs"
- Previous message: Ben: "Re: SP2003 Indexing failed"
- In reply to: Ben: "access via login page rather than popup box"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: access via login page rather than popup box"
- Reply: anonymous_at_discussions.microsoft.com: "Re: access via login page rather than popup box"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 12 Feb 2004 08:13:44 -0000
Ben, I had the exact same question as you. The following is what I found out
from Microsoft about this:
Let me walk you through the security model on which WSS and SPS are
based:
If SPS was strictly intended to be an application used by Web browsers, this
would be easy.
But it's not. Every site, its contents, and the server that runs it is
accessible via Web services, WebDAV, and even (in some cases), a precursor
to WebDAV known as FrontPage RPCs (no relation to DCE RPCs). In other
words, we're fully prepared to be accessed by non-browser HTTP clients.
The problem with forms-based security approaches, often used both by custom
applications as well as by commercial identity management products like
Netegrity, Cleartrust, and many other products, is that they'll intercede in
the connection process and issue a 302 redirect. If the client isn't a
browser, there's nothing there to receive the signon page. Even foregoing a
302 and having an ISAPI filter or ASP.NET handler pop up a form won't do it.
There's nothing in Word (for example) to read that form.
Furthermore, WSS (and SPS) pushes security down to the store level, so no
matter how you try to get to a site, document library, etc., your Windows
logon token will be compared to the Windows-compatible ACLs we put in SQL
Server. If you don't have sufficient credentials to get what you desire, we
hit you with a HTTP 401, which should tell your browser (or rich client,
like Excel, for example) to throw up a standard logon prompt (basic or NT
challenge/response) to be completed.
So, several things can be distilled from this:
1. Anything you use for accounts must present actual logon tokens (i.e., a
bundle o' SIDs) to us. LDAP names (which is all AD/AM can provide) aren't
good enough. On the other hand, AD in Windows Server 2003 scales very,
*very* nicely.
2. Any custom means of gathering logon credentials won't work from anything
but a browser. If you can forego access from anything but a browser (e.g.,
no Office integration), you could insert an ISAPI filter that forces 302
redirects and/or its own login form.
3. Anything they're using must be able to react to 401 results. That's
going to force a popup logon window if the credentials you obtained via a
form aren't sufficient. After three failures, we hand back a custom page
that allows the user to request access to the resources to which they're
being denied. This actually might be fine for you.
Nasty business, but understandable once you get in to why it's nasty
business. All in all, our security model is closer to that of a file system
than that of a traditional Web application.
"Ben" <anonymous@discussions.microsoft.com> wrote in message
news:e78d01c3f0a3$d5d66940$a401280a@phx.gbl...
> Does anyone know how to force that users log in to SPS
> 2003 via a custom web form (rather than the standard
> Windows authentication popup box)?
>
> Thanks!
>
- Next message: wan: "Re: PDF icon on searched docs"
- Previous message: Ben: "Re: SP2003 Indexing failed"
- In reply to: Ben: "access via login page rather than popup box"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: access via login page rather than popup box"
- Reply: anonymous_at_discussions.microsoft.com: "Re: access via login page rather than popup box"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
