Re: Anonymous and NTLM

From: Bernard Cheah [MVP] (qbernard_at_hotmail.com.discuss)
Date: 06/14/05

• Next message: Bernard Cheah [MVP]: "Re: http trace"
• Previous message: Bernard Cheah [MVP]: "Re: Most secure solution for ftp (IIS?)"
• In reply to: rgmullen_at_gmail.com: "Anonymous and NTLM"
• Next in thread: Borco: "Re: Anonymous and NTLM"
• Reply: Borco: "Re: Anonymous and NTLM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 14 Jun 2005 08:46:44 +0800

This is by design, browsers will always attempt to connect anonymously, and
base on authentication challenge header receive from web server, it will
then proceed with next supported auth method. refer this kb
INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/?id=264921

-- 
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
<rgmullen@gmail.com> wrote in message 
news:1118701316.418324.33580@g47g2000cwa.googlegroups.com...
>I have a customer requirement where they would like to alllow certain
> users to use NTLM as they enter our secure site while others would
> login through a web form. The desired action would be to check the
> interactive user's credentials upon entry to the site then compare it
> to an ACL we have. If they are not in this list they would be
> redirected to the web form login.
>
> It appears to me that enabling both Anonymous and NTLM is IIS will use
> the lowest credentials needed to complete a given resource request. IT
> would seem that the goal of this requirement could be met by denying
> access to the initial page to IUSR_<servername> account and then
> redirecting in ASP code on failure but this would seem to be less than
> ellegant at best.
>
> Can anyone offer a suggestion as to how the initial resource can be
> left unsecured yet have the server challenge for credentials anyway?
> 

---

• Next message: Bernard Cheah [MVP]: "Re: http trace"
• Previous message: Bernard Cheah [MVP]: "Re: Most secure solution for ftp (IIS?)"
• In reply to: rgmullen_at_gmail.com: "Anonymous and NTLM"
• Next in thread: Borco: "Re: Anonymous and NTLM"
• Reply: Borco: "Re: Anonymous and NTLM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: IIS6 - Integrated Authentication Probs ... When you use Basic authentication, ... outlined in Chapter 5 of the IIS 6 Resource Kit: ... > b) - Despite the fact these credentials are being parsed, ... > Hence - this is a general problem with the way the web server is using my ... (microsoft.public.inetserver.iis.security) IIS6 - Integrated Authentication Probs ... server to a UNC share on another server ... It seems that when I use "integrated authentication" that the credentials ... Hence - this is a general problem with the way the web server is using my ... (microsoft.public.inetserver.iis.security) Re: Urgent: Connecting to active directory using cached credentials ... The problem you are probably facing is the one hop limit of NTLM ... The user's credentials make one hop from the browser ... to the web server, and the web server can use those credentials ... >authentication. ... (microsoft.public.dotnet.framework.aspnet) RE: Temporarily loses IIS Authenticated User ... Authentication on our web server. ... > as my SQL Server which hosts ASP and ASP.NET applications ... > and again it seems like IIS is losing the credentials of the user that ... (microsoft.public.inetserver.iis.security) Bug in forms authentication? ... authentication. ... browsers as different users so two ... automatically logouted also from the other browser window. ... where the web server is located. ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)