RE: logout a browser under integrated security
From: Stefan Schachner[MS] (sschac@online.microsoft.com)
Date: 11/23/02
- Next message: alfred martus: "passwords"
- Previous message: Erik Jensen: "IIS wont send my custom header"
- In reply to: Jason: "logout a browser under integrated security"
- Next in thread: Jason: "RE: logout a browser under integrated security"
- Reply: Jason: "RE: logout a browser under integrated security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: sschac@online.microsoft.com (Stefan Schachner[MS]) Date: Sat, 23 Nov 2002 00:36:29 GMT
Jason,
As far as I am aware this cannot be done, this is due to the browser.
The client decides how to authenticate, so you can't control this on the
server. You may be able to force something through code, but not server
configuration. But even so if the user is already authenticated, and has
the
same browser session, even though they'll initially see a login prompt
again,
if they cancel out of it, they'll still be able to get access.
Alternatively, as part of the logout process, you could have the client
close
the browser. Unfortunately there's not a good way to force people to
re-authenticate when they have the same browser session open on the client.
This is because when Internet Explorer has established a connection with the
server by using Basic or NTLM authentication, it passes the credentials for
every new request for the duration of the session with the server.
For more information in regards to this please refer to KB Article Q264921
"How
IIS Authenticates Browser Clients"
Also according to KB article Q264086 "How to automatically Log on to IIS
Using
NT/Challenge Response" it states
"It is the responsibility of the user's Web browser to pass the user's
credentials to an Internet Information Services (IIS) Web server. If
Internet
Explorer is configured properly, the browser can automatically log on to
IIS
using Windows NT Challenge/Response over HTTP with the user's
currently-logged-on windows account.
That is why with CMS when using IIS Security Context authentication, the
ability to logoutof a site is not supported. It is best to remove any
logout buttons in the site. If a user wishes to login as another user into
the site, they will have to completely shut down their browser and start up
a
new instance of it.
If you are deciding on how you would like to secure your site I suggest
reading
the article Security and Authentication in Content Management Server you
can
find it at the link below.
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtech
nol
/cms/maintain/SecAuth.asp>
I hope this helps
Stefan B. Schachner MCSE MCP MCP +I
IIS Newsgroup Support
Please do not send email directly to this alias. This is our online account
name for newsgroup participation only.
If you would like to open a support incident with Microsoft, call
1-800-936-5800
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.
- Next message: alfred martus: "passwords"
- Previous message: Erik Jensen: "IIS wont send my custom header"
- In reply to: Jason: "logout a browser under integrated security"
- Next in thread: Jason: "RE: logout a browser under integrated security"
- Reply: Jason: "RE: logout a browser under integrated security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
