Re: IIS Basic + Integrated Authentication slow
From: David Chadwick (optic@optusnet.com.au)
Date: 06/22/02
- Next message: Scott Stahlman [MS]: "RE: Using SQL Authentication and WebTrens ...."
- Previous message: Scott Stahlman [MS]: "RE: IIS / SMTP : ID 7031"
- In reply to: IT Community: "RE: IIS Basic + Integrated Authentication slow"
- Next in thread: Stephen L Nicoud: "Re: IIS Basic + Integrated Authentication slow"
- Reply: Stephen L Nicoud: "Re: IIS Basic + Integrated Authentication slow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Chadwick" <optic@optusnet.com.au> Date: Sun, 23 Jun 2002 03:09:07 +1000
Hi,
Thanks for your response.
We do access the Intranet site internally via the NETBIOS name of the
machine, and the proxy server is bypassed and Integrated Authentication is
used. My problem has nothing to do with Proxy servers doing the wrong
thing. Internally this all works great.
The problem is when someone on the Internet tries to access our Intranet.
If they are using IE then it does try to use Integrated Authentication
simply because in IIS on our Intranet site we have both Basic and Integrated
selected, and as you said the order is that Integrated is used before Basic.
Due to the problems of using this over the net they get very very slow
response times to the site (2 minutes per page). If the external client is
using a browser other than IE that doesn't support Integrated then it skips
straight to Basic and works great.
This is the inherent problem. I need Integrated to be on for internal
clients to work nicely (which they do). If Integrated is on then external
clients using IE do not work nicely, as they try to use Integrated and take
forever. If I turn Integrated off then the external IE clients go straight
to Basic and it works great, but naturally this stuffs up the internal
clients who now need to enter a username and password each time they access
the site.
Surely this must be a common problem with some kind of solution? This would
happen to anyone who had an Intranet site and used Integrated Authentication
internally who then wanted to make the site available to the Internet. How
are other people getting around this?
Thanks again for your help so far.
Cheers,
...David
"IT Community" <it-community@online.microsoft.com> wrote in message
news:#2GV#MgGCHA.1808@cpmsftngxa08...
You wrote:
| I realise that Integrated Authentication isn't supposed to be used over
the
| Internet and frankly that is fine with me.
Response:
Integrated Authentication is essentially, NTLM or NT Challenge/.Response,
and will not work when authenticated via a firewall or proxy which likely
to happen when access from Internet. When a proxy server is inserted into
the system, between the Web browser and the Web publishing server, NTLM
authentication between the client browser and the WEB publishing server
will no longer work. In fact any authentication method relying on implicit
end-to-end state (such as NTLM) will cease working. Please review:
Q198116 Authentication Options and Limitations Using Proxy Server 2.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q198116
You wrote:
| The problem is that if I enable
| Basic Authentication it still tries Integrated first, so this problem does
| not go away.
Response:
If all enabled, the sequence IIS will try to authenticate a user is
Anonymous, Windows Integrated, and then Basic authentication. Please review:
Q264921 INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q264921
You wrote:
| If I turn off Integrated Authentication then Basic Authentication kicks in
| and the Intranet site runs very quickly and all is great. However this
| means that people accessing the site internally have to enter their
username
| and password rather than it just working transparently as it does with
| Integrated! I need to be able to tell IIS to use Basic Authentication
first
| with external clients, and Integrated Authentication with internal ones.
Response:
One solution is to internally, enable Bypass proxy server for local
addresses in IE Tools/Internet Options/Connections/LAN Settings and use
NetBios name to access your intranet so Windows integrated will be used.
Notice IE uses a period (.) in the URL to determine if the address is on
the (external) Internet, rather than the (internal) intranet. When
specifying an address which uses periods, IE identifies the URL as an
external site, and does not attempt to initiate the authentication session
because "Integrated Windows authentication" does not work across a firewall
or proxy. Or you can try
Q262981 Internet Explorer Uses Proxy Server Even if Bypass Option Is On
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q262981
Hope this helps.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2002 Microsoft Corporation. All rights
reserved.
Recently released IIS security patches:
Q319733 Cumulative Patch for Internet Information Services released
04/10/2002
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
Q321599 Heap Overrun in HTR Chunked Encoding Could Enable Web Server
Compromise released on 06/12/2002
http://www.microsoft.com/TechNet/security/bulletin/MS02-028.asp
- Next message: Scott Stahlman [MS]: "RE: Using SQL Authentication and WebTrens ...."
- Previous message: Scott Stahlman [MS]: "RE: IIS / SMTP : ID 7031"
- In reply to: IT Community: "RE: IIS Basic + Integrated Authentication slow"
- Next in thread: Stephen L Nicoud: "Re: IIS Basic + Integrated Authentication slow"
- Reply: Stephen L Nicoud: "Re: IIS Basic + Integrated Authentication slow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
