Integrated Windows Authentication, Change IE's Reaction to a 401.3
From: Rudie Noble (disneynoble@comcast.net)
Date: 12/20/02
- Next message: John: "Acess Control"
- Previous message: Karl Levinson [x y] mvp: "Re: separate IP addresses associated with IIS web servers"
- Next in thread: Mike: "Re: Integrated Windows Authentication, Change IE's Reaction to a 401.3"
- Reply: Mike: "Re: Integrated Windows Authentication, Change IE's Reaction to a 401.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: disneynoble@comcast.net (Rudie Noble) Date: 20 Dec 2002 07:54:58 -0800
Using Integrated Windows Authentication on a Windows 2000 Server
running IIS that is acting as an Intranet server. Trying to find a
way to eliminate the login prompt that IE generates following an
authenticated user's attempt to access a web page in a subdirectory
that has been protected by limiting rights (ACL) to selective user
groups. IIS generates 401.3 and IE reacts by displaying a login
prompt.
More Details......
Integrated Windows Authentication (also known as IWA, NT
Challenge/Response, and NTLM), seems well suited for an intranet
environment, since both user and Web server are in the same domain and
we can ensure that every user has Microsoft Internet Explorer (an IWA
requirement). Our Intranet site has pages that are both public and
some that are restricted by user group. Based on information
contained in other forum postings it is my understanding that when an
attempt to access a page from within a directory that specifies
Integrated Windows Authentication, IIS does not initially prompt the
user for a user name and password.
The current Windows user information on the client computer is used
for authentication. IWA is a secure form of authentication because
the user name and password are not sent across the network. When you
enable IWA, the user's browser proves its knowledge of the password
through a cryptographic exchange with your Web server, involving
hashing.
However, if this authentication exchange initially fails to identify
the user (such as when a user is not currently logged into the
network), the browser will prompt the user for a Windows user name and
password. In our case the user is logged onto the network and the
authentication is successful, but the identified user just doesn't
have access rights (via ACL) to the HTML file.
When our users attempt to access such a restricted page IIS generates
a 401.3 and as a result IE issues a login prompt. It is my
understanding that it is IE making the decision to issue the prompt,
not IIS. This would give the user an opportunity to enter alternate
credentials that might have access rights. However, we want to just
deny access to that page because our users have no other id.
We see no need for this prompt, it's way too much of an invitation to
try and hack the system. These users were correctly logged onto the
session; they just don't have permission to this page. Displaying
either the 401.3 error page or the 401.1 error page (which is what
gets displayed after canceling out of the login prompt) would be fine
(and yes I know these messages can be customized).
I remain hopeful someone will know how to influence IE's behavior so
that it does not issue the logon prompt.
Rudie Noble
Director, Distributed Computing
Frank's Nursery
- Next message: John: "Acess Control"
- Previous message: Karl Levinson [x y] mvp: "Re: separate IP addresses associated with IIS web servers"
- Next in thread: Mike: "Re: Integrated Windows Authentication, Change IE's Reaction to a 401.3"
- Reply: Mike: "Re: Integrated Windows Authentication, Change IE's Reaction to a 401.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
