Re: IIS Basic + Integrated Authentication slow

From: Stephen L Nicoud (nicouds@hotmail.com)
Date: 06/22/02 

Date: Sat, 22 Jun 2002 13:34:24 -0700
From: Stephen L Nicoud <nicouds@hotmail.com>

You'll need to set up 2 sites that share the same identical virtual
directories. Then enable Basic Authentication on one (but not IWA) and
enable IWA on the other (but not Basic). Make the appropriate DNS
entries so that the Internet traffic is sent to the site with Basic
Authentication enabled.

David Chadwick wrote:
>
> Hi,
>
> Thanks for your response.
>
> We do access the Intranet site internally via the NETBIOS name of the
> machine, and the proxy server is bypassed and Integrated Authentication is
> used. My problem has nothing to do with Proxy servers doing the wrong
> thing. Internally this all works great.
>
> The problem is when someone on the Internet tries to access our Intranet.
> If they are using IE then it does try to use Integrated Authentication
> simply because in IIS on our Intranet site we have both Basic and Integrated
> selected, and as you said the order is that Integrated is used before Basic.
> Due to the problems of using this over the net they get very very slow
> response times to the site (2 minutes per page). If the external client is
> using a browser other than IE that doesn't support Integrated then it skips
> straight to Basic and works great.
>
> This is the inherent problem. I need Integrated to be on for internal
> clients to work nicely (which they do). If Integrated is on then external
> clients using IE do not work nicely, as they try to use Integrated and take
> forever. If I turn Integrated off then the external IE clients go straight
> to Basic and it works great, but naturally this stuffs up the internal
> clients who now need to enter a username and password each time they access
> the site.
>
> Surely this must be a common problem with some kind of solution? This would
> happen to anyone who had an Intranet site and used Integrated Authentication
> internally who then wanted to make the site available to the Internet. How
> are other people getting around this?
>
> Thanks again for your help so far.
>
> Cheers,
>
> ...David
>
> "IT Community" <it-community@online.microsoft.com> wrote in message
> news:#2GV#MgGCHA.1808@cpmsftngxa08...
> You wrote:
> | I realise that Integrated Authentication isn't supposed to be used over
> the
> | Internet and frankly that is fine with me.
>
> Response:
> Integrated Authentication is essentially, NTLM or NT Challenge/.Response,
> and will not work when authenticated via a firewall or proxy which likely
> to happen when access from Internet. When a proxy server is inserted into
> the system, between the Web browser and the Web publishing server, NTLM
> authentication between the client browser and the WEB publishing server
> will no longer work. In fact any authentication method relying on implicit
> end-to-end state (such as NTLM) will cease working. Please review:
>
> Q198116 Authentication Options and Limitations Using Proxy Server 2.0
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q198116
>
> You wrote:
> | The problem is that if I enable
> | Basic Authentication it still tries Integrated first, so this problem does
> | not go away.
>
> Response:
> If all enabled, the sequence IIS will try to authenticate a user is
> Anonymous, Windows Integrated, and then Basic authentication. Please review:
>
> Q264921 INFO: How IIS Authenticates Browser Clients
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q264921
>
> You wrote:
> | If I turn off Integrated Authentication then Basic Authentication kicks in
> | and the Intranet site runs very quickly and all is great. However this
> | means that people accessing the site internally have to enter their
> username
> | and password rather than it just working transparently as it does with
> | Integrated! I need to be able to tell IIS to use Basic Authentication
> first
> | with external clients, and Integrated Authentication with internal ones.
>
> Response:
> One solution is to internally, enable Bypass proxy server for local
> addresses in IE Tools/Internet Options/Connections/LAN Settings and use
> NetBios name to access your intranet so Windows integrated will be used.
> Notice IE uses a period (.) in the URL to determine if the address is on
> the (external) Internet, rather than the (internal) intranet. When
> specifying an address which uses periods, IE identifies the URL as an
> external site, and does not attempt to initiate the authentication session
> because "Integrated Windows authentication" does not work across a firewall
> or proxy. Or you can try
>
> Q262981 Internet Explorer Uses Proxy Server Even if Bypass Option Is On
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q262981
>
> Hope this helps.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> You assume all risk for your use. © 2002 Microsoft Corporation. All rights
> reserved.
>
> Recently released IIS security patches:
>
> Q319733 Cumulative Patch for Internet Information Services released
> 04/10/2002
> http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
>
> Q321599 Heap Overrun in HTR Chunked Encoding Could Enable Web Server
> Compromise released on 06/12/2002
> http://www.microsoft.com/TechNet/security/bulletin/MS02-028.asp 

-- 
Reply to the newsgroup.

Relevant Pages

  • Re: Help, Ive been hijacked! :-(
    ... The users are all out there on the internet. ... password file authentication, since I understand that using Windows ... > a) Reading the documentation is a good start. ... > party clients support NTLM v2 authentication. ...
    (microsoft.public.inetserver.iis.smtp_nntp)
  • ISA Server Authentication issues in a mixed Windows/Macintosh environment
    ... I have a client - a local public school system - with a mixed ... and sometime switch over to a pure Windows environment by the time ... agree to allow them to have internet access. ... Basic authentication is the order of business, ...
    (NT-Bugtraq)
  • Re: Authentication problem
    ... am just dealing with my own experience with multi-purposed .NET security ... forms authentication - is any more secure than a single instance ... config method based on which site you are deploying than you are setting ... such as the internet) or windows authentication (if ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Query AD from DMZ via LDAP?
    ... I plan on having ADAM installed in a domain controler where there is a ... proxy objects depends on the type of authentication your app can perform. ... If it is limited to LDAP simple bind, then bind proxies would be needed (and ... authentication to apps on the public internet, ...
    (microsoft.public.windows.server.active_directory)
  • Re: FTP for internal users and external customers.
    ... Secure network architecture and authentication, ... the security boundary in AD is the forest ... Yet there's one thing that's not justified: putting the external user in DMZ ... any connections coming from the internet has to ...
    (microsoft.public.security)