Re: integrated vs basic
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 06/09/05
- Next message: Ken Schaefer: "Re: integrated vs basic"
- Previous message: Jeff Cochran: "Re: Logging into website - remove log in box"
- In reply to: Shane Young: "Re: integrated vs basic"
- Next in thread: Ken Schaefer: "Re: integrated vs basic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 8 Jun 2005 21:41:06 -0400
Yes, I believe so.
Here's a good write up that very clearly underlines some things I was going
to say:
http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiabasc.htm
"Integrated Windows authentication proceeds as follows:
Unlike Basic authentication, it does not initially prompt users for a user
name and password. The current Windows user information on the client
computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see
the Internet Explorer documentation.
However, if the authentication exchange initially fails to identify the
user, the browser will prompt the user for a Windows user account user name
and password, which it will process by using integrated Windows
authentication.
Internet Explorer will continue to prompt the user until the user enters a
valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.
Only Microsoft Internet Explorer, version 2.0 or later, supports this
authentication method.
Integrated Windows authentication does not work over HTTP Proxy connections.
Therefore, integrated Windows authentication is best suited for an intranet
environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft
Internet Explorer, version 2.0 or later."
One thing: The above write up states that Integrated windows authentication
is secure. This is simply not true. I feel the author must have known this
is not true. If you don't use HTTPS encryption, and you don't use Kerberos,
then the authentication is not necessarily secure, and is probably not
secure by default.
The article erroneously claims that "Integrated Windows authentication
(formerly called NTLM or Windows NT Challenge/Response authentication) is a
secure form of authentication because the user name and password are not
sent across the network. When you enable integrated Windows authentication,
the user's browser proves its knowledge of the password through a
cryptographic exchange with your Web server, involving hashing."
"Shane Young" <syoung at lucruminc dot com> wrote in message
news:e1xrE0DbFHA.2668@TK2MSFTNGP12.phx.gbl...
> Thank you for you response. :)
>
> So if I read your message and the PDF correctly this is what is happening.
>
> I create an IIS site http://mysite and only set it up to use integrated
> authentication
> I am doing no proxying
> I access the site from the internet
> Since my browser is not passing any username/password I get a logon box
> This logon box is still using IWA? Not basic?
>
> If that is correct can you just respond with a yep?
>
> I appreciate this. You have made things incredibly clearer.
>
> --
> Shane Young
> http://www.lucruminc.com
>
> I will be presenting at SharePoint Advisor Live!
> Stop by and say hello. I will also be at the
> http://www.SharePointSolutions.com booth
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:uwIMQoDbFHA.2996@TK2MSFTNGP10.phx.gbl...
> > Hi,
> >
> > Integrated Windows Authentication (IWA) actually involves two separate
> > authentication mechanisms. If you have a look at what IIS returns in
> > response to the initial anonymous request, you will see:
> > WWW-Authenticate: Negotiate
> > WWW-Authenticate: NTLM
> >
> > The first (negotiate) currently means Kerberos, and the second means
NTLM.
> > Kerberos doesn't work through most firewalls because in order to use
> > Kerberos Authentication the client needs to get a Kerberos Service
Ticket
> > from the KDC (Key Distribution Center). The KDC is hosted on DCs in a
> > Windows Active Directory environment, and generally firewalls block
access
> > to DCs from PCs on the wider internet.
> >
> > Now, just because there's a firewall between the IIS box and the browser
> > doesn't mean that the browser automatically chooses Basic instead. The
> > browser has no knowledge of the firewall. It'll pick the first
> > authentication mechanism that itsupports, and use that. If Kerberos is
> > first, and the browser can't contact the KDC, then authentication willl
> > fail. Now IE does have some smarts built in. If the site is in the
> > Internet
> > security zone, Kerberos auth will not be attempted, and IE will use the
> > next
> > presented authentication mechanism (NTLM). NTLM works through most
> > firewalls
> > (but doesn't work through most proxy servers).
> >
> > For more information, you might want to have a look at this PDF, which
is
> > chapter from the IIS6 Security book that Bernard Cheah and myself wrote:
> > http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf
> >
> > In answer to your question, I would consider using Basic + SSL for
> > external
> > clients. Basic is the most widely supported authentication mechanism,
and
> > works through firewalls and proxy servers. Alternatively, you can use
> > Digest
> > Auth instead, which is more secure (see above link for details). That
> > said,
> > be aware, that neither Basic nor Digest is delegatable (though Windows
> > 2003
> > does support something called "protocol transition" that can help you
get
> > around this) - only Kerberos is natively.
> >
> > Cheers
> > Ken
> >
> > --
> > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> > Web: www.adopenstatic.com
> >
> >
> > "Shane Young" <syoung at lucruminc dot com> wrote in message
> > news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl...
> > : Hello. I am a regular in the SharePoint Portal Server NG but this is
my
> > : first time in the IIS group so forgive me if I get this wrong.
> > :
> > : I am trying to understand authentication. I know that if I set up a
web
> > : site to use only integrated and then put it behind a firewall so
> > integrated
> > : doesn't work that it will default to using basic. Are there any
issues
> > with
> > : allowing this to happen? Should I have a separate virtual site that
> > only
> > : uses basic auth (with SSL of course) and point people who are infront
of
> > the
> > : firewall to that site? Does this make sense? I design portal server
> > farms
> > : all the time and I can never answer this question intelligently.
Maybe
> > : someone who understands IIS can? Even if you can just point me on a
> > white
> > : paper or book to read on the topic I would appreciate it.
> > :
> > : Thanks!
> > :
> > : --
> > : Shane Young
> > : http://www.lucruminc.com
> > :
> > : I will be presenting at SharePoint Advisor Live!
> > : Stop by and say hello. I will also be at the
> > : http://www.SharePointSolutions.com booth
> > :
> > :
> > :
> >
> >
>
>
- Next message: Ken Schaefer: "Re: integrated vs basic"
- Previous message: Jeff Cochran: "Re: Logging into website - remove log in box"
- In reply to: Shane Young: "Re: integrated vs basic"
- Next in thread: Ken Schaefer: "Re: integrated vs basic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
