Re: IIS Authentication

From: Thomas Deml [MS] (thomad@online.microsoft.com)
Date: 10/06/02


From: "Thomas Deml [MS]" <thomad@online.microsoft.com>
Date: Sun, 6 Oct 2002 02:45:19 -0700


You are using Basic auth I guess.

IE caches credentials on a per domain basis and this is a good thing. There
is nothing IIS can do about it. IE doesn't send the credentials to
site2.neximus.com because it would be a huge security hole. How should IE
know that the same guy that runs site1.neximus.com also runs
site2.neximus.com?

IIS has to challenge for credentials and as a result IE pops up the
dialogbox. If IE wouldn't do that it would send credentials to completely
unrelated sites.

A solution would be to use cookie-based authentication. I think the cookie
standard allows to ignore the 2nd level domain.

Hope this helps.

--
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corp.
"Mario Smit" <m.smit@neximus.com> wrote in message
news:fd5c01c26a35$26bff340$3bef2ecf@TKMSFTNGXA10...
> Hi,
>
> I have two domains for example: site1.neximus.com and
> site2.neximus.com. Both sites use authentication and are
> available for the same NT-usergroup. I want the user to
> logon only once not twice for both site1 and site2.
>
> I set up authentication and it works fine. Only IE pops
> up for a second time when I want to go from site1 to
> site2. Is this because the realm is not the same?
>
> We are using IIS 5.0 on Windows 2000 Advanced Server.
>
> Any help will be greatly appreciated.
>
> Best regards,
>
> Mario Smit