RE: logout a browser under integrated security

From: Jason (ipsglobal@hotmail.com)
Date: 11/26/02 

From: "Jason" <ipsglobal@hotmail.com>
Date: Tue, 26 Nov 2002 07:25:12 -0800

As it turns out the solution described in Q195192 does
work for NTLM even though the article only says it works
for basic authentication. It requires an OCX to be
downloaded to the client, which would be a drawback for
any applications that are to be accessed by browsers other
than IE.

Jason.

>-----Original Message-----
>Jason,
> As far as I am aware this cannot be done, this is
due to the browser.
>The client decides how to authenticate, so you can't
control this on the
>server. You may be able to force something through code,
but not server
>configuration. But even so if the user is already
authenticated, and has
>the
>same browser session, even though they'll initially see a
login prompt
>again,
>if they cancel out of it, they'll still be able to get
access.
>
>
>
>Alternatively, as part of the logout process, you could
have the client
>close
>the browser. Unfortunately there's not a good way to
force people to
>re-authenticate when they have the same browser session
open on the client.
>
>
>
>This is because when Internet Explorer has established a
connection with the
>server by using Basic or NTLM authentication, it passes
the credentials for
>every new request for the duration of the session with
the server.
>
>For more information in regards to this please refer to
KB Article Q264921
>"How
>IIS Authenticates Browser Clients"
>
>
>
>Also according to KB article Q264086 "How to
automatically Log on to IIS
>Using
>NT/Challenge Response" it states
>
>
>
>"It is the responsibility of the user's Web browser to
pass the user's
>credentials to an Internet Information Services (IIS) Web
server. If
>Internet
>Explorer is configured properly, the browser can
automatically log on to
>IIS
>using Windows NT Challenge/Response over HTTP with the
user's
>currently-logged-on windows account.
>
>
>
>That is why with CMS when using IIS Security Context
authentication, the
>ability to logoutof a site is not supported. It is best
to remove any
>logout buttons in the site. If a user wishes to login as
another user into
>the site, they will have to completely shut down their
browser and start up
>a
>new instance of it.
>
>
>
>If you are deciding on how you would like to secure your
site I suggest
>reading
>the article Security and Authentication in Content
Management Server you
>can
>find it at the link below.
>
>
>
><http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtech
>nol
>/cms/maintain/SecAuth.asp>
>
>I hope this helps
>
>
>
>
>Stefan B. Schachner MCSE MCP MCP +I
>IIS Newsgroup Support
>
>Please do not send email directly to this alias. This is
our online account
>name for newsgroup participation only.
>
>If you would like to open a support incident with
Microsoft, call
>1-800-936-5800
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>You assume all risk for your use. © 2001 Microsoft
Corporation. All rights
>reserved.
>
>
>
>.
>