Re: integrated authentication not working from redirect

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 12/21/02

• Next message: Karl Levinson [x y] mvp: "Re: IIS NT authentication , can not access HDD on other NT server"
• Previous message: Karl Levinson [x y] mvp: "Re: IIS, ISM & SMTP: Not Able to Disable"
• In reply to: Danno: "integrated authentication not working from redirect"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Sat, 21 Dec 2002 17:49:24 -0500

"Danno" <googlegroups@danno.mail.coppock.com> wrote in message
news:97cf2f36.0212201046.5200681a@posting.google.com...
> I'm seeing strange auth behavior from the default IE 6, on XP Pro,
> regarding HTTP redirects.

> [3] (FAILS) If the cgi that provides the redirect is considered to
> NOT be on the same security zone (intranet) as the browser, after
> moving to the protected page, the browser seems to refuse to
> participate in the automatic logon process, and pops up the logon
> dialog.
>
> My question is why would IE care from where it was redirected. Is
> this some new security behavior? I only see this on XP Pro

Actually, IMHO this is the improved behavior I would have wanted to see in
the other OSes. Integrated web authentication is not appropriate and
usually should not be done or would not be possible across the internet or
through a firewall. I would hope that this behavior is a correction of
previous behavior that would have sent your windows authentication
information out to the internet where it could be sniffed and cracked and
used against you. One form of attack is to send you a URL to trick you or
your computer into sending your credentials to a hacker.

The fix should be to change the server name in the URL so that it is local,
or add the domain or server name to the intranet zone. This should be
possible to do through Group Policy, a .REG file, the IEAK, etc.

Since XP contains the ICF firewall, you could also check the firewall logs
to confirm that it is not interfering with things.

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002

---

• Next message: Karl Levinson [x y] mvp: "Re: IIS NT authentication , can not access HDD on other NT server"
• Previous message: Karl Levinson [x y] mvp: "Re: IIS, ISM & SMTP: Not Able to Disable"
• In reply to: Danno: "integrated authentication not working from redirect"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Secure Site for Active Directory Group ... Internet Explorer May Prompt You for a Password ... Make sure the site is in the "Intranet" IE security zone. ... browser) is *not* going to send credentials out to any webserver that's out ... (microsoft.public.inetserver.misc) Re: Secure Site for Active Directory Group ... Internet Explorer May Prompt You for a Password ... Make sure the site is in the "Intranet" IE security zone. ... browser) is *not* going to send credentials out to any webserver that's out ... (microsoft.public.inetserver.iis) Re: login for 127.0.0.1 ... Both http://computername and http://localhost are in IE's "intranet" security zone, so IE is logging you in using your Windows credentials. ... When I type http://127.0.0.1 in the address balk of IE, a login + password is asked. ... In the configuration of IIS, 'anonymous access' is activated. ... (microsoft.public.inetserver.iis.security) Front page & XP Pro ... I have front page loaded and using it for our intranet. ... machines cannot submit a form on the intranet. ... just the xp pro users. ... (microsoft.public.frontpage.client) how to prevent illegal copy of asp.net locally deployed app ... I have a asp.net/C# app deployed to my client pc as a intranet. ... OS - XP pro ... Prev by Date: ... (microsoft.public.dotnet.distributed_apps)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)