Re: access via login page rather than popup box

From: John Brennan (johnvbrennan_at_hotmail.com)
Date: 02/12/04 

Date: Thu, 12 Feb 2004 15:10:59 -0000

I'll have to get back to you on that Ben :-) I only got the information from
MS yesterday so we're going to be acting on that in the coming days.
Probably going to try out the 302 redirect first with ISAPI filter.
Definitely want to get away from the standard authentication dialog.

John

<anonymous@discussions.microsoft.com> wrote in message
news:f69601c3f176$8a497250$a501280a@phx.gbl...
> Thanks for the info, John.
>
> So did you just end up accepting that a popup login box
> was the only way to go or are you trying to write
> something customized for web-browser based login?
>
> Ben
>
> >-----Original Message-----
> >Ben, I had the exact same question as you. The following
> is what I found out
> >from Microsoft about this:
> >
> >
> >
> > Let me walk you through the security model on
> which WSS and SPS are
> >based:
> >
> >If SPS was strictly intended to be an application used by
> Web browsers, this
> >would be easy.
> >
> >But it's not. Every site, its contents, and the server
> that runs it is
> >accessible via Web services, WebDAV, and even (in some
> cases), a precursor
> >to WebDAV known as FrontPage RPCs (no relation to DCE
> RPCs). In other
> >words, we're fully prepared to be accessed by non-browser
> HTTP clients.
> >
> >The problem with forms-based security approaches, often
> used both by custom
> >applications as well as by commercial identity management
> products like
> >Netegrity, Cleartrust, and many other products, is that
> they'll intercede in
> >the connection process and issue a 302 redirect. If the
> client isn't a
> >browser, there's nothing there to receive the signon
> page. Even foregoing a
> >302 and having an ISAPI filter or ASP.NET handler pop up
> a form won't do it.
> >There's nothing in Word (for example) to read that form.
> >
> >Furthermore, WSS (and SPS) pushes security down to the
> store level, so no
> >matter how you try to get to a site, document library,
> etc., your Windows
> >logon token will be compared to the Windows-compatible
> ACLs we put in SQL
> >Server. If you don't have sufficient credentials to get
> what you desire, we
> >hit you with a HTTP 401, which should tell your browser
> (or rich client,
> >like Excel, for example) to throw up a standard logon
> prompt (basic or NT
> >challenge/response) to be completed.
> >
> >So, several things can be distilled from this:
> >
> >1. Anything you use for accounts must present actual
> logon tokens (i.e., a
> >bundle o' SIDs) to us. LDAP names (which is all AD/AM
> can provide) aren't
> >good enough. On the other hand, AD in Windows Server
> 2003 scales very,
> >*very* nicely.
> >
> >2. Any custom means of gathering logon credentials won't
> work from anything
> >but a browser. If you can forego access from anything
> but a browser (e.g.,
> >no Office integration), you could insert an ISAPI filter
> that forces 302
> >redirects and/or its own login form.
> >
> >3. Anything they're using must be able to react to 401
> results. That's
> >going to force a popup logon window if the credentials
> you obtained via a
> >form aren't sufficient. After three failures, we hand
> back a custom page
> >that allows the user to request access to the resources
> to which they're
> >being denied. This actually might be fine for you.
> >
> >
> >
> >Nasty business, but understandable once you get in to why
> it's nasty
> >business. All in all, our security model is closer to
> that of a file system
> >than that of a traditional Web application.
> >
> >"Ben" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:e78d01c3f0a3$d5d66940$a401280a@phx.gbl...
> >> Does anyone know how to force that users log in to SPS
> >> 2003 via a custom web form (rather than the standard
> >> Windows authentication popup box)?
> >>
> >> Thanks!
> >>
> >
> >
> >.
> >

Relevant Pages

  • Re: access via login page rather than popup box
    ... >logon token will be compared to the Windows-compatible ... >hit you with a HTTP 401, which should tell your browser ... On the other hand, AD in Windows Server ... Any custom means of gathering logon credentials won't ...
    (microsoft.public.sharepoint.portalserver)
  • Re: access via login page rather than popup box
    ... If SPS was strictly intended to be an application used by Web browsers, ... browser, there's nothing there to receive the signon page. ... logon token will be compared to the Windows-compatible ACLs we put in SQL ... On the other hand, AD in Windows Server 2003 scales very, ...
    (microsoft.public.sharepoint.portalserver)
  • Re: LSP violation or not
    ... >>not implement the web GUI service subsystem once and sell that rather ... Are you limited to a browser UI? ... data aggregates than Table and Dataset), it isn't far off the HTML mark. ... Even if the browser UI is fat and there are custom applets that will ...
    (comp.object)
  • Re: cannot logon as administrator
    ... To Logon as Default Administrator on Pro Edition, from Welcome screen, press ... > since it cannot find the path to that custom login screen. ... > I'm on the guest account. ...
    (microsoft.public.windowsxp.help_and_support)
  • upgradingabrowser
    ... i have been trying to logon to several sites i have used in the oast now ... it is coming up that i have to upgrade my browser but i have no idea how ...
    (comp.lang.java.softwaretools)