Re: integrated vs basic

From: Shane Young (syoung)
Date: 06/08/05 

Date: Wed, 8 Jun 2005 11:16:09 -0400

Thank you for you response. :)

So if I read your message and the PDF correctly this is what is happening.

I create an IIS site http://mysite and only set it up to use integrated
authentication
I am doing no proxying
I access the site from the internet
Since my browser is not passing any username/password I get a logon box
This logon box is still using IWA? Not basic?

If that is correct can you just respond with a yep?

I appreciate this. You have made things incredibly clearer. 

-- 
Shane Young
http://www.lucruminc.com
I will be presenting at SharePoint Advisor Live!
Stop by and say hello.  I will also be at the 
http://www.SharePointSolutions.com booth
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message 
news:uwIMQoDbFHA.2996@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> Integrated Windows Authentication (IWA) actually involves two separate
> authentication mechanisms. If you have a look at what IIS returns in
> response to the initial anonymous request, you will see:
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
>
> The first (negotiate) currently means Kerberos, and the second means NTLM.
> Kerberos doesn't work through most firewalls because in order to use
> Kerberos Authentication the client needs to get a Kerberos Service Ticket
> from the KDC (Key Distribution Center). The KDC is hosted on DCs in a
> Windows Active Directory environment, and generally firewalls block access
> to DCs from PCs on the wider internet.
>
> Now, just because there's a firewall between the IIS box and the browser
> doesn't mean that the browser automatically chooses Basic instead. The
> browser has no knowledge of the firewall. It'll pick the first
> authentication mechanism that itsupports, and use that. If Kerberos is
> first, and the browser can't contact the KDC, then authentication willl
> fail. Now IE does have some smarts built in. If the site is in the 
> Internet
> security zone, Kerberos auth will not be attempted, and IE will use the 
> next
> presented authentication mechanism (NTLM). NTLM works through most 
> firewalls
> (but doesn't work through most proxy servers).
>
> For more information, you might want to have a look at this PDF, which is
> chapter from the IIS6 Security book that Bernard Cheah and myself wrote:
> http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf
>
> In answer to your question, I would consider using Basic + SSL for 
> external
> clients. Basic is the most widely supported authentication mechanism, and
> works through firewalls and proxy servers. Alternatively, you can use 
> Digest
> Auth instead, which is more secure (see above link for details). That 
> said,
> be aware, that neither Basic nor Digest is delegatable (though Windows 
> 2003
> does support something called "protocol transition" that can help you get
> around this) - only Kerberos is natively.
>
> Cheers
> Ken
>
> -- 
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Shane Young" <syoung at lucruminc dot com> wrote in message
> news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl...
> : Hello.  I am a regular in the SharePoint Portal Server NG but this is my
> : first time in the IIS group so forgive me if I get this wrong.
> :
> : I am trying to understand authentication.  I know that if I set up a web
> : site to use only integrated and then put it behind a firewall so
> integrated
> : doesn't work that it will default to using basic.  Are there any issues
> with
> : allowing this to happen?  Should I have a separate virtual site that 
> only
> : uses basic auth (with SSL of course) and point people who are infront of
> the
> : firewall to that site?  Does this make sense?  I design portal server
> farms
> : all the time and I can never answer this question intelligently.  Maybe
> : someone who understands IIS can?  Even if you can just point me on a 
> white
> : paper or book to read on the topic I would appreciate it.
> :
> : Thanks!
> :
> : -- 
> : Shane Young
> : http://www.lucruminc.com
> :
> : I will be presenting at SharePoint Advisor Live!
> : Stop by and say hello.  I will also be at the
> : http://www.SharePointSolutions.com booth
> :
> :
> :
>
>

Relevant Pages

  • Re: Windows Authentication problem with IIS6 (Win2k3)
    ... Authentication Protocol is Integrated ... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS ... regardless of the IE setting regarding Enabling Integrated Windows ... >>I believe the problem to be something related to the Kerberos technology, ...
    (microsoft.public.inetserver.iis)
  • Re: Windows Authentication problem with IIS6 (Win2k3)
    ... Authentication Protocol is Integrated ... Jeff - Thank you SOOOOO much - your suggestion to check out the IIS ... regardless of the IE setting regarding Enabling Integrated Windows ... >>I believe the problem to be something related to the Kerberos technology, ...
    (microsoft.public.inetserver.iis.security)
  • Re: integrated vs basic
    ... IIS Blog: www.adopenstatic.com/cs/blogs/ken/ ... :> Integrated Windows Authentication actually involves two separate ... :> The first currently means Kerberos, ... :> Kerberos doesn't work through most firewalls because in order to use ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS Remote Content and Kerberos Delegation
    ... I'm almost certain it's Kerberos because the event log shows ... local content on the IIS web (eg a dummy.asp page which simply ... remote content during the same session. ... > authentication method that will send kerberos tokens. ...
    (microsoft.public.inetserver.asp.general)
  • Re: integrated vs basic
    ... The first currently means Kerberos, ... and generally firewalls block access ... just because there's a firewall between the IIS box and the browser ... authentication mechanism that itsupports, and use that. ...
    (microsoft.public.inetserver.iis.security)