Re: access via login page rather than popup box

anonymous_at_discussions.microsoft.com
Date: 02/12/04 

Date: Thu, 12 Feb 2004 06:43:12 -0800

Thanks for the info, John.

So did you just end up accepting that a popup login box
was the only way to go or are you trying to write
something customized for web-browser based login?

Ben

>-----Original Message-----
>Ben, I had the exact same question as you. The following
is what I found out
>from Microsoft about this:
>
>
>
> Let me walk you through the security model on
which WSS and SPS are
>based:
>
>If SPS was strictly intended to be an application used by
Web browsers, this
>would be easy.
>
>But it's not. Every site, its contents, and the server
that runs it is
>accessible via Web services, WebDAV, and even (in some
cases), a precursor
>to WebDAV known as FrontPage RPCs (no relation to DCE
RPCs). In other
>words, we're fully prepared to be accessed by non-browser
HTTP clients.
>
>The problem with forms-based security approaches, often
used both by custom
>applications as well as by commercial identity management
products like
>Netegrity, Cleartrust, and many other products, is that
they'll intercede in
>the connection process and issue a 302 redirect. If the
client isn't a
>browser, there's nothing there to receive the signon
page. Even foregoing a
>302 and having an ISAPI filter or ASP.NET handler pop up
a form won't do it.
>There's nothing in Word (for example) to read that form.
>
>Furthermore, WSS (and SPS) pushes security down to the
store level, so no
>matter how you try to get to a site, document library,
etc., your Windows
>logon token will be compared to the Windows-compatible
ACLs we put in SQL
>Server. If you don't have sufficient credentials to get
what you desire, we
>hit you with a HTTP 401, which should tell your browser
(or rich client,
>like Excel, for example) to throw up a standard logon
prompt (basic or NT
>challenge/response) to be completed.
>
>So, several things can be distilled from this:
>
>1. Anything you use for accounts must present actual
logon tokens (i.e., a
>bundle o' SIDs) to us. LDAP names (which is all AD/AM
can provide) aren't
>good enough. On the other hand, AD in Windows Server
2003 scales very,
>*very* nicely.
>
>2. Any custom means of gathering logon credentials won't
work from anything
>but a browser. If you can forego access from anything
but a browser (e.g.,
>no Office integration), you could insert an ISAPI filter
that forces 302
>redirects and/or its own login form.
>
>3. Anything they're using must be able to react to 401
results. That's
>going to force a popup logon window if the credentials
you obtained via a
>form aren't sufficient. After three failures, we hand
back a custom page
>that allows the user to request access to the resources
to which they're
>being denied. This actually might be fine for you.
>
>
>
>Nasty business, but understandable once you get in to why
it's nasty
>business. All in all, our security model is closer to
that of a file system
>than that of a traditional Web application.
>
>"Ben" <anonymous@discussions.microsoft.com> wrote in
message
>news:e78d01c3f0a3$d5d66940$a401280a@phx.gbl...
>> Does anyone know how to force that users log in to SPS
>> 2003 via a custom web form (rather than the standard
>> Windows authentication popup box)?
>>
>> Thanks!
>>
>
>
>.
>

Relevant Pages

  • Re: access via login page rather than popup box
    ... >>browser, there's nothing there to receive the signon ... for example) to throw up a standard logon ... Any custom means of gathering logon credentials won't ...
    (microsoft.public.sharepoint.portalserver)
  • Re: access via login page rather than popup box
    ... If SPS was strictly intended to be an application used by Web browsers, ... browser, there's nothing there to receive the signon page. ... logon token will be compared to the Windows-compatible ACLs we put in SQL ... On the other hand, AD in Windows Server 2003 scales very, ...
    (microsoft.public.sharepoint.portalserver)
  • Re: AVID vs Final Cut Pro
    ... especially when they are custom built. ... all that fun stuff that goes with Windows. ... Pro, Live Type, Compressor, DVD Studio Pro, Motion and Soundtrack Pro. ... With Macs you can only really buy quality products (although there have been ...
    (rec.video.production)
  • Re: Form component like common Openfiledialog
    ... I've converted both the commondialog and the ... > of this form and show it from the custom CommonDialog class. ... Next, add a new Windows Form to the "Windows Control Library" project, ... > private System.Windows.Forms.Button button1; ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: Openserver 5.0.6 ping floods router
    ... the CPU Load jumped back up to 100%. ... We finally discovered somehowthat if we disconnected a certain windows 2003 Server that had an ip addreee of XXX.XXX.XXX.97 the flooding stopped. ... remember the IP for the default gateway between reboots. ... I had run a "custom -V" to verify the entire setup, ...
    (comp.unix.sco.misc)