RE: Basic question

From: Ken Schaefer (Ken_at_adOpenStatic.com)
Date: 03/16/05

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #232" 
    Date: Wed, 16 Mar 2005 12:23:34 +1100
To: <focus-ms@securityfocus.com>

    : -----Original Message-----
    : From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    : Subject: RE: Basic question
    :
    : The encryption used when sending authentication to an IIS server depends
    : on how you have configured the IIS server. You have several choices.
    : Windows Integrated Authentication utilized NTLM or NTLMv2 depending on
    : the configuration of the IIS server and the domain controllers.

    Since Windows 2000 Integrated Windows Authentication has incorporated both
    NTLM/NTLM v2 authentication and Kerberos Authentication (WWW-Authenticate:
    Negotiate is the authentication header for Kerberos)

    : Not all browsers utilize Windows Integrated Authentication.
    : (I think only IE on Windows will support this.)

    Most modern browsers support the NTLM/NTLM v2 (Mozilla/Firefox, Opera, IE).
    Only IE supports Kerberos authentication OOB.

    : Basic authentication will send the password
    : in plain text across the network. With Basic authentication if you want
    : authentication and encryption, you need to install an SSL certificate
    : and force you users to use https to access your site.
    : On IIS 6.0 there is also Digest and .net authentication.
    : I am not familiar with either of these.

    Digest Authentication is an open standard (see RFC 2617 etc), and was
    implemented in Windows 2000 / IIS 5.0. I'm not sure what you mean when you
    refer to ".net Authentication" - I assume you mean Passport Authentication?

    : The encryption method used does not matter if the machine is
    : part of the same domain as the IIS server or not.

    I assume you mean the "authentication method does not matter"? Well, I
    suppose we need to use the caveat that Kerberos can not be used if the client
    machine is unable to obtain an appropriate ticket from the KDC.

    Cheers
    Ken

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #232"

    Relevant Pages

    • Re: Secure laptop data from theft threat
      ... Regardless of how you do authentication, someone could just pop the drive ... Encryption is the only way. ... encrypt the whole hard drive and requests a separate password before Windows ... >>access to the data in the My Documents folder. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Log in to server using current username/pwd
      ... encryption, but one that is meant to result in something that is specifically NOT decryptable. ... windows to secretly forwarding the current user's auth data without ... the client which caches the authentication. ...
      (microsoft.public.scripting.vbscript)
    • Re: WMPhone 5 not synchorizing deleted mail with Exchange
      ... IIS server and manually create exchange-oma VD to see if the issue ... Then create exchange-oma VD in IIS manager console manually since the ... Still under the Virtual Directory tab, ... Click on the Directory Security tab, click Edit for "authentication ...
      (microsoft.public.windows.server.sbs)
    • Re: Using forms authentication to control security access to msolap.asp. Is it possible using ASP.NE
      ... > IIS Server and Analysis Services are currently in the same machine, ... > authentication problem is resolved. ...
      (microsoft.public.sqlserver.olap)
    • Re: IIS NT authentication , can not access HDD on other NT server
      ... since AFAIK the IIS server using Windows integrated ... > authentication as if they were sitting at the console of the IIS computer. ... > an identical ID and password set up on the target server. ...
      (microsoft.public.inetserver.iis.security)