Re: Accessing Website without using Domain in User Name
- From: David Wang <w3.4you@xxxxxxxxx>
- Date: Wed, 20 Aug 2008 15:48:06 -0700 (PDT)
Well, I am sure the same users sign in to other websites either with a
username (tied to an email address) or some email address. So, I
consider such complaints nonsense, and here's why.
You will not be allowed to insert a webpage and then initiate
Integrated Auth on their behalf because that is considered man-in-the-
middle attack to Integrated Auth. Likewise, you cannot write any code
which just inserts a default domain, like what you can do with Basic
authentication -- because that is also considered a man-in-the-middle
attack.
BTW, this is not something specific to Integrated Authentication. Just
about every worthy public authentication protocol behaves in the same
manner. Even proprietary systems like Google Account, Windows LiveID,
etc use the a email address to provide username + realm information
for authentication.
In short, this is the classic tradeoff between usability and security.
Many in the secure world has decided that name+realm is proper, as
evidenced by publicly accepted specifications. Now, you can always
build proprietary systems where only name is used, but you will soon
find faults with that approach.
So, it's your choice. Either you cough up the time to deal with the
security problems, or make your users accept username+realm form of
identification and play along with everyone else in the world.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Aug 19, 7:16 am, Jeremy_Lawrence
<JeremyLawre...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Thanks for your response. I am sure they can remember their e-mail address,
however it is considered an "inconvenience" for them to have to do this which
I consider a bit unfortunate.
Thanks anyways.
--
MCP, MCSA, MCSE+Security, CEH, CCA
"David Wang" wrote:
On Aug 12, 8:52 am, Jeremy_Lawrence
<JeremyLawre...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I currently have a server setup that can be accessed externally. However it
is setup using Basic Authentication (which I don't want to use) and only
requires the user name and password entered but does not require
domain\username.
I have some real picky end user's that find it very inconvienent to have to
put in the domain name, so I am trying to find out how I can do this with
Integrated security without having to add the domain name when prompted.
Can I create a web page that just asks for the user name and password and
then in the backend I could pass the domain information, or am I just making
this out to be harder than it really is to fix?
Thanks,
--
MCP, MCSA, MCSE+Security, CEH, CCA
Can your users remember their email address? If so, and you have
matched their email address to their UPN in Active Directory, they can
use it to login with Integrated Authentication.
Your approach will not work. Secure Authentication Protocols will not
allow customization by such a web page because it is considered a Man-
in-the-middle attack.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -
- Show quoted text -
.
- References:
- Accessing Website without using Domain in User Name
- From: Jeremy_Lawrence
- Re: Accessing Website without using Domain in User Name
- From: David Wang
- Re: Accessing Website without using Domain in User Name
- From: Jeremy_Lawrence
- Accessing Website without using Domain in User Name
- Prev by Date: Re: Windows Update related to IIS
- Next by Date: RE: IIS Authentication
- Previous by thread: Re: Accessing Website without using Domain in User Name
- Next by thread: SSL & Basic Authentication
- Index(es):
Relevant Pages
|
