RE: IIS Basic + Integrated Authentication slow

From: IT Community (it-community@online.microsoft.com)
Date: 06/22/02 

From: it-community@online.microsoft.com (IT Community)
Date: Sat, 22 Jun 2002 15:41:48 GMT

You wrote:
| I realise that Integrated Authentication isn't supposed to be used over
the
| Internet and frankly that is fine with me.

Response:
Integrated Authentication is essentially, NTLM or NT Challenge/.Response,
and will not work when authenticated via a firewall or proxy which likely
to happen when access from Internet. When a proxy server is inserted into
the system, between the Web browser and the Web publishing server, NTLM
authentication between the client browser and the WEB publishing server
will no longer work. In fact any authentication method relying on implicit
end-to-end state (such as NTLM) will cease working. Please review:

Q198116 Authentication Options and Limitations Using Proxy Server 2.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q198116

You wrote:
| The problem is that if I enable
| Basic Authentication it still tries Integrated first, so this problem does
| not go away.

Response:
If all enabled, the sequence IIS will try to authenticate a user is
Anonymous, Windows Integrated, and then Basic authentication. Please review:

Q264921 INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q264921

You wrote:
| If I turn off Integrated Authentication then Basic Authentication kicks in
| and the Intranet site runs very quickly and all is great. However this
| means that people accessing the site internally have to enter their
username
| and password rather than it just working transparently as it does with
| Integrated! I need to be able to tell IIS to use Basic Authentication
first
| with external clients, and Integrated Authentication with internal ones.

Response:
One solution is to internally, enable Bypass proxy server for local
addresses in IE Tools/Internet Options/Connections/LAN Settings and use
NetBios name to access your intranet so Windows integrated will be used.
Notice IE uses a period (.) in the URL to determine if the address is on
the (external) Internet, rather than the (internal) intranet. When
specifying an address which uses periods, IE identifies the URL as an
external site, and does not attempt to initiate the authentication session
because "Integrated Windows authentication" does not work across a firewall
or proxy. Or you can try

Q262981 Internet Explorer Uses Proxy Server Even if Bypass Option Is On
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q262981

Hope this helps.

This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2002 Microsoft Corporation. All rights
reserved.

Recently released IIS security patches:
 
Q319733 Cumulative Patch for Internet Information Services released
04/10/2002
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp

Q321599 Heap Overrun in HTR Chunked Encoding Could Enable Web Server
Compromise released on 06/12/2002
http://www.microsoft.com/TechNet/security/bulletin/MS02-028.asp

Relevant Pages

  • ISA Server Authentication issues in a mixed Windows/Macintosh environment
    ... I have a client - a local public school system - with a mixed ... and sometime switch over to a pure Windows environment by the time ... agree to allow them to have internet access. ... Basic authentication is the order of business, ...
    (NT-Bugtraq)
  • Re: Authentication problem
    ... am just dealing with my own experience with multi-purposed .NET security ... forms authentication - is any more secure than a single instance ... config method based on which site you are deploying than you are setting ... such as the internet) or windows authentication (if ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Query AD from DMZ via LDAP?
    ... I plan on having ADAM installed in a domain controler where there is a ... proxy objects depends on the type of authentication your app can perform. ... If it is limited to LDAP simple bind, then bind proxies would be needed (and ... authentication to apps on the public internet, ...
    (microsoft.public.windows.server.active_directory)
  • Re: FTP for internal users and external customers.
    ... Secure network architecture and authentication, ... the security boundary in AD is the forest ... Yet there's one thing that's not justified: putting the external user in DMZ ... any connections coming from the internet has to ...
    (microsoft.public.security)
  • Re: IIS Basic + Integrated Authentication slow
    ... Authentication enabled. ... > The problem is when someone on the Internet tries to access our Intranet. ... > clients to work nicely. ... When a proxy server is inserted into ...
    (microsoft.public.inetserver.iis.security)