|
Home > Archive > IIS Server Security > February 2004 > Integrated Authentication Timeout
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Integrated Authentication Timeout
|
|
| mark.miller@gmx.org 2004-02-19, 9:34 am |
| I can't find a decent White Paper on Integrated Authentication.
So I can't figure out the following questions:
If use an IIS site after login in with Integrated Authentication
(let's say Kerberos flavor), how long can I be inactive before I have
to re-authenticate?
Where can I set this parameter?
There must be some kind of Integrated Authentication State on the IIS,
so is there a limit on how many sessions it can simulatiously handle?
What about memory requirements per session?
Can anyone help me here? What I would most like would be a White Paper
with this stuff in it.
Thanks, Mark
| |
| Tom Kaminski [MVP] 2004-02-20, 12:34 am |
| <mark.miller@gmx.org> wrote in message
news:dd87a512.0402191436.18138e19@posting.google.com...
> I can't find a decent White Paper on Integrated Authentication.
>
> So I can't figure out the following questions:
>
> If use an IIS site after login in with Integrated Authentication
> (let's say Kerberos flavor), how long can I be inactive before I have
> to re-authenticate?
>
> Where can I set this parameter?
>
> There must be some kind of Integrated Authentication State on the IIS,
> so is there a limit on how many sessions it can simulatiously handle?
>
> What about memory requirements per session?
>
> Can anyone help me here? What I would most like would be a White Paper
> with this stuff in it.
I think because credentials are managed/cached by the client, it's really
not an IIS issue and there for you cannot set a timeout on the server ...
--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsser...ty/centers/iis/
| |
| mark.miller@gmx.org 2004-02-20, 11:34 am |
| So how does IIS know that the client was already authenticated. Does
it set a cookie? That doesn't sound right.
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message news:<c152h1$bkv13@kcweb01.netnews.att.com>...
> <mark.miller@gmx.org> wrote in message
> news:dd87a512.0402191436.18138e19@posting.google.com...
>
> I think because credentials are managed/cached by the client, it's really
> not an IIS issue and there for you cannot set a timeout on the server ...
| |
| David Wang [Msft] 2004-02-20, 5:33 pm |
| Integrated Authentication is an umbrella that actually consists of several
authentication schemes. The default order for negotiate is Kerberos, then
NTLM.
NTLM is connection-based authentication. That is, there is an initial 3-way
handshake to establish that connection, after which all communication across
that connection is presumed to be authenticated as the initial user. Thus,
its lifetime is limited by the lifetime of that connection. It is this
connection-dependency that makes NTLM not work correctly in Internet
scenarios across proxies that may pool connections.
Kerberos Authentication is something totally different. It is a token-based
authentication scheme where an initial one-way hash is used to determine
authenticity, and thereafter, a token that contains the valid originating
IP, "Freshness", and applicable services (all encrypted) is given to the
authenticated user. The browser hands this token around to servers for
authentication, and the server verifies that the token is not stale, the
user is from the originating IP, and that the applicable services is
rendered by this server -- and if it all checks out, access is granted.
Thus, the lifetime of Kerberos is bound by the "Freshness" (which tends to
be small, like 15 minutes, since otherwise replay attacks can be made
against Kerberos).
As for limits, that is something you empirically derive through testing
because every setup is unique.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<mark.miller@gmx.org> wrote in message
news:dd87a512.0402201614.726bc6d9@posting.google.com...
So how does IIS know that the client was already authenticated. Does
it set a cookie? That doesn't sound right.
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:<c152h1$bkv13@kcweb01.netnews.att.com>...
> <mark.miller@gmx.org> wrote in message
> news:dd87a512.0402191436.18138e19@posting.google.com...
>
> I think because credentials are managed/cached by the client, it's really
> not an IIS issue and there for you cannot set a timeout on the server ...
|
|
|
|
|