Re: Are credentials sent via a client browser->IIS6.0 if using 'integrated authentication' protected by Kerberos?

From: Marlon Brown (marlon_brownj_at_hotmail.com)
Date: 11/02/04

Next message: GH-HP: "Re: Applications that require Internet access"
Previous message: Bigbruva: "Re: Applications that require Internet access"
In reply to: Miha Pihler: "Re: Are credentials sent via a client browser->IIS6.0 if using 'integrated authentication' protected by Kerberos?"
Next in thread: Miha Pihler: "Re: Are credentials sent via a client browser->IIS6.0 if using 'integrated authentication' protected by Kerberos?"
Reply: Miha Pihler: "Re: Are credentials sent via a client browser->IIS6.0 if using 'integrated authentication' protected by Kerberos?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 1 Nov 2004 17:45:45 -0800

Let me confirm:
If both "Basic authentication" and "Windows integrated authentication"
options are selected in IIS6, the one that will prevail is 'basic
authentication' ? In that case, the credentials and password would be sent
in clear text, right?

"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:eSuQueHwEHA.3292@TK2MSFTNGP15.phx.gbl...
> Hi Marlon,
>
> For Integrated Auth. Kerberos or NTLM is used -- depends on server and
> client configuration -- by default Kerberos will be used. Since Kerberos
> or NTLM are used, user information is protected when sent between the
> client and server.
>
> Note, this is only true for user information, not for the web site
> content!
>
> Mike
>
> "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message
> news:OO5TRHHwEHA.3840@tk2msftngp13.phx.gbl...
>> Imagine I am not using SSL or a certificate.I go to IE and launch http:\\
>> MyServerSite
>>
>> The authentication in use is "Windows integrated authentication".
>>
>> Since I am not using SSL, if somebody uses a packet decoder to grab data
>> from that connection, what type of information would be retrievable ? Is
>> the login information/password protected by Kerberos in this scenario ?
>>
>
>

Next message: GH-HP: "Re: Applications that require Internet access"
Previous message: Bigbruva: "Re: Applications that require Internet access"
In reply to: Miha Pihler: "Re: Are credentials sent via a client browser->IIS6.0 if using 'integrated authentication' protected by Kerberos?"
Next in thread: Miha Pihler: "Re: Are credentials sent via a client browser->IIS6.0 if using 'integrated authentication' protected by Kerberos?"
Reply: Miha Pihler: "Re: Are credentials sent via a client browser->IIS6.0 if using 'integrated authentication' protected by Kerberos?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

BASIC authentication Issues with IE
... quarks has either gotten worst or Microsoft is now forcing some behavior ... to try to understand Microsoft's variant BASIC Authentication ... When you use explorer to open the C:\ root folder, ...
(microsoft.public.inetserver.iis.security)
Re: HTTP_AUTHORIZATION header
... With Basic authentication, ... I use WFetch to make a Basic authenticated POST request against my CGI EXE ... Nitpick on your stated understanding of authentication protocols - ...
(microsoft.public.inetserver.iis.security)
RE: Name mapping : 1 certificate, multiple user accounts
... If you have Basic Authentication disabled in IIS, ... Integrated authentication will prompt if the prerequisites for transparent ...
(microsoft.public.inetserver.iis.security)
Re: An outside client cant access our WSS website
... they need to be using Basic Authentication. ... SSL just that you would be very wise for security reasons to use it (because ... >>> One client can't access our website from their company office. ...
(microsoft.public.sharepoint.windowsservices)
Re: Connecting to AS 2005 using a specified user
... If you use MSOLAP.3 to connect to an AS 2000 server over HTTP, ... Basic authentication credentials. ...
(microsoft.public.sqlserver.olap)