Re: How to make integrated auth fallback to Basic
- From: "David Wang [Msft]" <someone@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 10 Feb 2006 00:58:33 -0800
Why should an authentication protocol assume that?
Domain of relevance is as much a necessary qualifier on identity as the
username itself.
Besides, membership of server in a "domain" says nothing about transitivity.
For example:
What happens if you have two domains, A and B, and username C exists in both
domains A & B (imagine a company merger and username is something common
like David). If someone tries to log in as "David" to a webserver that is in
domain A, you're saying it should assume "domain A's David" when it could
well be "domain B's David" that is trying to login. How in the world can the
webserver figure this out? And if you want the code to try "domain B's
David" on failure to login as "domain A's David", then attackers can use
that to DoS your machine. Security has a knack to be hard like that.
There is no such thing as a "default domain" when it comes to Integrated
Windows Authentication because the protocol is secured against that. Since
Basic authentication passes username/password to the server in clear text
and the server calls LogonUser() Win32 API to login the user, that API
allows you to insert a "domain" -- hence Basic Authentication has this
"feature".
Integrated Windows Authentication, on the other hand, does NOT pass
username/password to the server in any form - just a bunch of hashes and
binary blobs pass back and forth and IIS just gets a NT User token at the
end if successful -- so there is no way to insert a "default domain". It
wouldn't make security sense, either - because ability to alter the "default
domain" of a user principle means that you are able to alter the domain of
relevance of the identity, and that is a security no-no.
Now, if the problem is that users cannot seem to remember a domain name,
then try configuring Windows to use UPN in which case it is
username@xxxxxxxxxx and password -- and if you configure email
correspondingly, users only remember "my email address" and "my password"
without even thinking about the domain.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Mark" <marka@xxxxxxxxxxxxxx> wrote in message
news:1139518417.294186.230940@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok - makes sense. So if I want to disable Basic and use IWA
exclusively, is there anyway to specify a default domain? I only have
one domain which the web server is a member of. You'd think IWA would
authenticate non-domain clients against it automatically.
.
- References:
- How to make integrated auth fallback to Basic
- From: Mark
- Re: How to make integrated auth fallback to Basic
- From: Ken Schaefer
- Re: How to make integrated auth fallback to Basic
- From: Mark
- How to make integrated auth fallback to Basic
- Prev by Date: SSL and replication
- Next by Date: Registry access from ASP
- Previous by thread: Re: How to make integrated auth fallback to Basic
- Next by thread: Default domain problem
- Index(es):
Relevant Pages
|
