Re: IIS, Integrated Windows Authentication, Intranet, Disable Prompt?

From: Thomas Deml [Msft] (thomad@online.microsoft.com)
Date: 12/12/02

• Next message: Gerald Abarca: "Unlock"
• Previous message: Thomas Deml [Msft]: "Re: Missing Lockdown Wizard on .NET Server/IIS 6.0"
• In reply to: Rudie Noble: "IIS, Integrated Windows Authentication, Intranet, Disable Prompt?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Thomas Deml [Msft]" <thomad@online.microsoft.com>
Date: Thu, 12 Dec 2002 00:02:03 -0800

Rudie,

this is not something IIS controls. Believe it or not, IIS always send the
same error message back to Internet Explorer. There are multiple requests
happening under the cover where you only see one. IE decides if and when to
throw a popup. In this case if IE can't get access with the logged on
account it throws the dialog box. For IIS each request is a new request and
IIS returns a 401 if it thinks the user doesn't have the right access
rights.

Hope this helps.

-- 
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corp.
"Rudie Noble" <disneynoble@comcast.net> wrote in message
news:360143d5.0212101832.477cfe53@posting.google.com...
> Using Integrated Windows Authentication.
>
> Our Intranet site has pages that are both public and some that are
> restricted by user group.  When a user attempts to access a restricted
> page for which they don't have access (via ACL) we want to just deny
> access to that page, not prompt the user for a user-id.  They were
> correctly logged onto the session, they just don't have permission to
> this page and we don't want to bother prompting them for a user-id.
> We just want the same 401-3 message screen to come up as if the user
> had clicked "cancel" for the logon prompt.
>
> Jerry Bryant of Microsoft sent the following information in response
> to a question posted back in 1991.  I understand the information
> presented but am hopeful someone will know how to turn off the logon
> prompt (item #3 below) received when a valid intranet user attempts to
> access a page for which they have not not been given access when using
> Integrated Windows Authentication.
>
> Thank You,
> Rudie
>
>
> ===========================================================
>
> When using Integrated Windows Authentication (also known as NT
> Challenge/Response and NTLM), users who are not logged into the
> network (or across the Internet) will be prompted for their user name
> and password. Here is some additional information:
>
> Integrated Windows authentication is a secure form of authentication
> because the user name and password are not sent across the network.
> When you enable integrated Windows authentication, the user's browser
> proves its knowledge of the password through a cryptographic exchange
> with your Web server, involving hashing.
>
> Integrated Windows authentication is best suited for an intranet
> environment, where both user and Web server computers are in the same
> domain, and where administrators can ensure that every user has
> Microsoft Internet Explorer, version 2.0 or later.
>
> Integrated Windows authentication proceeds as follows:
>
>    1. Unlike Basic authentication, it does not initially prompt users
> for a user name and password. The current Windows user information on
> the client computer is used for the integrated Windows authentication.
>
>    2. However, if the authentication exchange initially fails to
> identify the user, the browser will prompt the user for a Windows user
> account user name and password, which it will process by using
> integrated Windows authentication.
>
>    3. Internet Explorer will continue to prompt the user until the
> user enters a valid user name and password, or closes the prompt
> dialog box.
>
>
> Hope this helps!
>
> Jerry Bryant
> Microsoft Communities

---

• Next message: Gerald Abarca: "Unlock"
• Previous message: Thomas Deml [Msft]: "Re: Missing Lockdown Wizard on .NET Server/IIS 6.0"
• In reply to: Rudie Noble: "IIS, Integrated Windows Authentication, Intranet, Disable Prompt?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Integrated Windows Authentication, Change IEs Reaction to a 401.3 ... Using Integrated Windows Authentication on a Windows 2000 Server ... way to eliminate the login prompt that IE generates following an ... IIS generates 401.3 and IE reacts by displaying a login ... (microsoft.public.inetserver.iis.security) IIS, Integrated Windows Authentication, Intranet, Disable Prompt? ... Using Integrated Windows Authentication. ... Our Intranet site has pages that are both public and some that are ... not prompt the user for a user-id. ... Microsoft Internet Explorer, version 2.0 or later. ... (microsoft.public.inetserver.iis.security) Re: FQDM in intranet resources ... "Internet Explorer May Prompt You for a Password" ... Kristofer Gafvert - IIS MVP ... > using Integrated Windows Authentication on many of the pages. ... How could I make it work with the FQDM? ... (microsoft.public.inetserver.iis) Re: IIS 6 Integrated Authentication Stopped Working ... In Internet Explorer, if you look in the lower right part, what zone does it ... "Internet Explorer May Prompt You for a Password" ... > today, it won't let us log in to the domain controller website, ... I just tried restoring through IIS and it didn't help. ... (microsoft.public.inetserver.iis) Re: Integrated Windows Authentication Problem ... > I just created a website in IIS 6. ... > impersonate=true in my web config. ... > Integrated Windows Authentication but don't get prompted by any login. ... it won't prompt you for credentials. ... (microsoft.public.inetserver.iis)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)