Re: SSL & Certificates or Windows Auth
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 11/20/03
- Previous message: Ken Schaefer: "Re: IIS 5.0/SSL"
- In reply to: Andrew: "SSL & Certificates or Windows Auth"
- Next in thread: Andrew: "Re: SSL & Certificates or Windows Auth"
- Reply: Andrew: "Re: SSL & Certificates or Windows Auth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Nov 2003 14:28:18 +1100
Is you are using something like "Basic Authentication" to authenticated
against the Windows User database, then it is strongly recommended that you
use SSL, as the username/password are essentially passed as clear-text.
On the otherhand, if you use Integrated Windows Authentication (or NTLM or
Keberos), then a challenge-response system is used, and the password is
never passed. So SSL doesn't help you as much here.
That said, SSL encrypts everything except the actual request header (ie what
file is being requested), so every other header (including the HTTP headers
conveying the username, password or password hash) are encrypted.
Cheers
Ken
"Andrew" <anonymous@discussions.microsoft.com> wrote in message
news:051e01c3aef8$53c8b210$a401280a@phx.gbl...
: Hi,
:
: From a security point of view, how much additional
: security does having a certificate to access a website
: provide over using Windows authentication?
:
: Also, when using a SSL connection and using Windows
: authentication, i take it that the username/password is
: also encrypted?
:
: Andrew
- Previous message: Ken Schaefer: "Re: IIS 5.0/SSL"
- In reply to: Andrew: "SSL & Certificates or Windows Auth"
- Next in thread: Andrew: "Re: SSL & Certificates or Windows Auth"
- Reply: Andrew: "Re: SSL & Certificates or Windows Auth"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
