Re: IIS Authentication

From: Thomas Deml [MS] (thomad@online.microsoft.com)
Date: 10/06/02


From: "Thomas Deml [MS]" <thomad@online.microsoft.com>
Date: Sun, 6 Oct 2002 02:45:19 -0700


You are using Basic auth I guess.

IE caches credentials on a per domain basis and this is a good thing. There
is nothing IIS can do about it. IE doesn't send the credentials to
site2.neximus.com because it would be a huge security hole. How should IE
know that the same guy that runs site1.neximus.com also runs
site2.neximus.com?

IIS has to challenge for credentials and as a result IE pops up the
dialogbox. If IE wouldn't do that it would send credentials to completely
unrelated sites.

A solution would be to use cookie-based authentication. I think the cookie
standard allows to ignore the 2nd level domain.

Hope this helps.

--
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corp.
"Mario Smit" <m.smit@neximus.com> wrote in message
news:fd5c01c26a35$26bff340$3bef2ecf@TKMSFTNGXA10...
> Hi,
>
> I have two domains for example: site1.neximus.com and
> site2.neximus.com. Both sites use authentication and are
> available for the same NT-usergroup. I want the user to
> logon only once not twice for both site1 and site2.
>
> I set up authentication and it works fine. Only IE pops
> up for a second time when I want to go from site1 to
> site2. Is this because the realm is not the same?
>
> We are using IIS 5.0 on Windows 2000 Advanced Server.
>
> Any help will be greatly appreciated.
>
> Best regards,
>
> Mario Smit


Relevant Pages

  • Re: shared folder access
    ... >account delegation from your physical server running IIS ... >Your first option is to use Basic Authentication in IIS ... >This will remove the UNC user token credentials ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Active Directory Authentication in IIS 6
    ... I just installed ldp.exe and have no problems using the same credentials ... used in the code to connect and bind. ... settings in IIS, but I am not sure where to look. ... and Integrated Windows Authentication is checked. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS6 - Virtual Directory to URL share, authentication problems.
    ... passing credentials across from webserver -> remote file server ... requires Kerberos (if IIS doesn't have the user's password), ... you won't get automatic logon. ... is that the "secure" authentication mechanisms do ...
    (microsoft.public.inetserver.iis.security)
  • Making .net handle IIS authentication (not simple)
    ... authentication systems. ... The new section uses an ISAPI plugin to handle authentication, IIS does the ... or that I can have asp.net issue credentials that IIS will accept. ... want them to get the standard aspx login form I have created, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: NT Authentication with ASP
    ... Without credentials, IIS will assume anonymous access. ... If Anonymous authentication is enabled, ... unless the browser has already authenticated. ...
    (microsoft.public.inetserver.asp.general)