| Ken Schaefer 2004-12-16, 3:37 am |
| Hi,
You might want to take a look at this:
http://www.adopenstatic.com/resourc...CYA_IIS6_05.pdf
-SSL encrypts the entire transmission - not just the authentication headers.
- If using Basic and Integrated Windows Authentication, then the browser
will pick IWA if it supports IWA (actually, the server would typically send
back three authentication headers: Negotiate, NTLM and Basic, and the
browser would pick the first one listed that it supports)
- IWA actually encompasses two discrete authentication mechanisms: Kerberos
and NTLM. I think you are referring to NTLM below.
Cheers
Ken
"KRG123" <KRG123@discussions.microsoft.com> wrote in message
news:2952B3C9-D684-4858-8BD7-591CAAD83555@microsoft.com...
> Hello All,
>
> I need a little help to confirm a desired configuration to ensure Web Site
> security. Please have a look at my current understanding from
> documentation
> and provide advice:
>
> ---Windows Integrated Authentication: Utilizes credentials of the user
> network logon process. Hashes the userid and password before it is sent
> over
> the network. The client submits the password through a cryptographic
> exchange with your Web server that involves hashing. This method of
> authentication provides its own form of encryption.
>
>
> ---Basic Authentication w/SSL -- encrypts user credentials provided from
> the
> userid/password dialog box for webserver authentication.
>
> ---Combination of Integrated Authentication + Basic Authentication w/SSL:
> Actually provides two layers of authentication it doesn't further encrypt
> the
> transmission of the credentials obtained through Integrated
> Authentication.
>
> Would there ever be a time in which it would be beneficial to combine the
> two methods? Is the Windows Integrated Authentication truley the most
> secure
> form of machine credentials?
>
> Thanks
>
>
|