|
Home > Archive > IIS Server Security > April 2005 > Switching from Integrated Authentication to Anonymous
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Switching from Integrated Authentication to Anonymous
|
|
| PMarino 2005-04-28, 2:48 am |
| Hi all. I have a problem that I'm not sure I understand. I have a web site
framework that is designed to support Windows Authentication, Forms
Authenticatio or Mixed. When logging off from Windows Authentication, the
framework redirects to a special page that allows Anonymous Access but does
not allow Windows Authentication. This special page then redirects to the
front page of the application. This front page permits Anonymous and Windows
Auth.
While the special page is accessed Anonymously, the next (front) page uses
Windows Auth again. This doesn't make sense to me, and I'm wondering what to
do about it. To make sure it's not the framework's bug, I wrong a simple
test app consisiting of 3 ASP.Net pages, with the following security config:
Test.Aspx - Allow Anonymous AND Windows Auth. Front page of applications.
Secure.Aspx - Allow Windows Auth, do NOT allow Anonymous. Page used to grab
user's Windows auth.
NotSecure.Aspx. - Allow Anonymous, do NOT allow Windows Auth. Page used to
'log out'.
In this test scenario, Test.Aspx redirects to Secure.Aspx, and then back to
Test.Aspx. When I click 'Logout', I am redirected to NotSecure.Aspx, and
then back to Test.Aspx.
Any idea of why this happens, and how I can work around it?
Thanks in advance.
Here's a sample of the IIS Log file:
04:15:45 - GET /TestSecurity/Test.aspx - 302 -
04:15:45 - GET /TestSecurity/Secure.aspx - 401
04:15:45 Domain\UserName GET /TestSecurity/Secure.aspx - 302
04:15:45 Domain\UserName GET /TestSecurity/Test.aspx Stage=Logon 200
04:15:49 Domain\UserName POST /TestSecurity/Test.aspx Stage=Logon 302
04:15:49 - GET /TestSecurity/NotSecure.aspx - 302 04:15:49 Domain\UserName
GET /TestSecurity/Test.aspx Stage=Logoff 200
| |
| Ken Schaefer 2005-04-28, 2:48 am |
| Once authenticated, IE will continue sending the user's credentials until
either:
a) the process is shut down (iexplorer.exe or whatever)
b) the server rejects the credentials (in which case IE will prompt the user
for new credentials)
How can you get around this to accomplish what you want? Your options are
listed here:
http://www.adopenstatic.com/cs/blog...5/04/12/14.aspx
Clearing IE's credential cache
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"PMarino" <PMarino@discussions.microsoft.com> wrote in message
news:D75AD644-D5AF-4C48-A655-70C6CB283687@microsoft.com...
: Hi all. I have a problem that I'm not sure I understand. I have a web
site
: framework that is designed to support Windows Authentication, Forms
: Authenticatio or Mixed. When logging off from Windows Authentication, the
: framework redirects to a special page that allows Anonymous Access but
does
: not allow Windows Authentication. This special page then redirects to the
: front page of the application. This front page permits Anonymous and
Windows
: Auth.
:
: While the special page is accessed Anonymously, the next (front) page uses
: Windows Auth again. This doesn't make sense to me, and I'm wondering what
to
: do about it. To make sure it's not the framework's bug, I wrong a simple
: test app consisiting of 3 ASP.Net pages, with the following security
config:
:
: Test.Aspx - Allow Anonymous AND Windows Auth. Front page of applications.
:
: Secure.Aspx - Allow Windows Auth, do NOT allow Anonymous. Page used to
grab
: user's Windows auth.
:
: NotSecure.Aspx. - Allow Anonymous, do NOT allow Windows Auth. Page used
to
: 'log out'.
:
:
: In this test scenario, Test.Aspx redirects to Secure.Aspx, and then back
to
: Test.Aspx. When I click 'Logout', I am redirected to NotSecure.Aspx, and
: then back to Test.Aspx.
:
: Any idea of why this happens, and how I can work around it?
:
: Thanks in advance.
:
: Here's a sample of the IIS Log file:
:
:
: 04:15:45 - GET /TestSecurity/Test.aspx - 302 -
: 04:15:45 - GET /TestSecurity/Secure.aspx - 401
: 04:15:45 Domain\UserName GET /TestSecurity/Secure.aspx - 302
: 04:15:45 Domain\UserName GET /TestSecurity/Test.aspx Stage=Logon 200
: 04:15:49 Domain\UserName POST /TestSecurity/Test.aspx Stage=Logon 302
: 04:15:49 - GET /TestSecurity/NotSecure.aspx - 302 04:15:49 Domain\UserName
: GET /TestSecurity/Test.aspx Stage=Logoff 200
|
|
|
|
|