Re: SSL & Certificates or Windows Auth

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 11/20/03 

Date: Thu, 20 Nov 2003 17:06:19 +1100

Hi,

Are you talking about client and server certificates? or just server
certificates?

Cheers
Ken

"Andrew" <anonymous@discussions.microsoft.com> wrote in message
news:09b401c3af28$71416690$a301280a@phx.gbl...
: Thanks Ken,
:
: Is using Integrated Windows Authentication with SSL as
: secure (or is it more?) as SSL with certificates?
: Realistically, what additional security does a certificate
: provide (other than the initial aproval of the
: certificate)?
:
: Andrew
:
:
: >-----Original Message-----
: >Is you are using something like "Basic Authentication" to
: authenticated
: >against the Windows User database, then it is strongly
: recommended that you
: >use SSL, as the username/password are essentially passed
: as clear-text.
: >
: >On the otherhand, if you use Integrated Windows
: Authentication (or NTLM or
: >Keberos), then a challenge-response system is used, and
: the password is
: >never passed. So SSL doesn't help you as much here.
: >
: >That said, SSL encrypts everything except the actual
: request header (ie what
: >file is being requested), so every other header
: (including the HTTP headers
: >conveying the username, password or password hash) are
: encrypted.
: >
: >Cheers
: >Ken
: >
: >"Andrew" <anonymous@discussions.microsoft.com> wrote in
: message
: >news:051e01c3aef8$53c8b210$a401280a@phx.gbl...
: >: Hi,
: >:
: >: From a security point of view, how much additional
: >: security does having a certificate to access a website
: >: provide over using Windows authentication?
: >:
: >: Also, when using a SSL connection and using Windows
: >: authentication, i take it that the username/password is
: >: also encrypted?
: >:
: >: Andrew
: >
: >
: >.
: >

Relevant Pages

  • Re: Can SSL sessions be compromised?
    ... the proxy machine -- if I enable local cookies for authentication this ... your "SSL server" machine may be trying to catch some simple types of ... information carried by the digital certificates was ... clicking on any RFC number, brings up that RFC in the lower RFC summary ...
    (comp.security.misc)
  • Weird IAS error with EAP-TLS
    ... computer certificates to authenticate Wireless clients a while back. ... Proxy-Policy-Name = Use Windows authentication for all users ... NT-SAM Authentication handler received request for TEST\LAPTOP$. ... I've made sure that the certificates listed on http://support.microsoft.com/kb/293781/ ...
    (microsoft.public.internet.radius)
  • Re: Logon failures filling the event log
    ... Exchange web interface and CompanyWeb all require SSL and 128 bits. ... It's probably a brute-force attack. ... The authentication as seen from the authentication service comes from ... server farm (Windows 2003 standard, IIS6) hosting SSL secured, NTLM ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon failures filling the event log
    ... Exchange web interface and CompanyWeb all require SSL and 128 bits. ... It's probably a brute-force attack. ... The authentication as seen from the authentication service comes from ... server farm (Windows 2003 standard, IIS6) hosting SSL secured, NTLM ...
    (microsoft.public.windows.server.sbs)
  • windows 2003: validation/authentication(802.1x)
    ... We are testing an Active Directory domain with authentication 802.1x using ... the domain is served from Windows Server 2003 whith DHCP, DNS, root CA ... We configured autoenrollement of certificates to smart card. ...
    (microsoft.public.internet.radius)