IIS Server Security - Logging into website

Author

Logging into website - remove log in box

mattastic

2005-06-08, 5:57 pm

Hi,

I'm a bit of newbie to networks and IIS.

The users on my network, log in using a novell login box when they boot up
their pc.

When they open their browser, they have to enter the same username and
password to log into our intranet.

Is there anyway I can get rid of the login prompt for the browser, and log
them in automatically using the initial windows login they entered.

Thanks in advance

--
www.w00t.biz

Jeff Cochran

2005-06-08, 8:48 pm

On Wed, 8 Jun 2005 07:35:05 -0700, mattastic
<mattastic@discussions.microsoft.com> wrote:

>Hi,
>
>I'm a bit of newbie to networks and IIS.
>
>The users on my network, log in using a novell login box when they boot up
>their pc.
>
>When they open their browser, they have to enter the same username and
>password to log into our intranet.
>
>Is there anyway I can get rid of the login prompt for the browser, and log
>them in automatically using the initial windows login they entered.

Enable basic authentication, remove anonymous access and add the
intranet to the intranet zone in Internet Explorer.

Jeff

mattastic

2005-06-09, 2:48 am

Great thanks John.

Is the username and password stored in a session variable or in the browser?

Is there a way I can access them?

--
www.w00t.biz

"Jeff Cochran" wrote:

> On Wed, 8 Jun 2005 07:35:05 -0700, mattastic
> <mattastic@discussions.microsoft.com> wrote:
>
>
> Enable basic authentication, remove anonymous access and add the
> intranet to the intranet zone in Internet Explorer.
>
> Jeff
>

Jeff Cochran

2005-06-09, 7:49 am

On Thu, 9 Jun 2005 00:59:01 -0700, mattastic
<mattastic@discussions.microsoft.com> wrote:

>Great thanks John.
>
>Is the username and password stored in a session variable or in the browser?
>
>Is there a way I can access them?

Neither. Unless you sttroed them there that is. IE passes
credentials to sites it trusts, such as those in the Intranet zone.
It doesn't pass credentials to other sites.

Jeff

David Wang [Msft]

2005-06-11, 8:48 pm

FYI: the issue is NOT about removing the login box. The issue is either:
1. you are making IIS require authentication when you do not need it
2. you need the client to auto-authenticate to the web server.

If you have #1, then enable anonymous authentication and disable any other
authentication in IIS. Assuming your anonymous username/password is
correctly configured in IIS, any user should access IIS web pages without
seeing a login box

If you have #2, then you need to configure IIS to require authentication,
disable anonymous authentication, and configure the browser to auto-login
with the current username/password. IIS will challenge for access, but
browser auto-login so no login box shows up.

Re: access to username/password on the server-side

Insecure authentication algorithms like Basic authentication actually sends
over the username:password, so you can retrieve it with AUTH_USER and
AUTH_PASSWORD. Secure authentication methods only send hashes that prove the
remote user knew the password but never sends the password over the
network -- so the server obviously has no way to retrieve the password --
only has the username.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"mattastic" <mattastic@discussions.microsoft.com> wrote in message
news:2F570646-DCE7-44C6-8015-093A5CF509DA@microsoft.com...
Great thanks John.

Is the username and password stored in a session variable or in the browser?

Is there a way I can access them?

--
www.w00t.biz

"Jeff Cochran" wrote:

> On Wed, 8 Jun 2005 07:35:05 -0700, mattastic
> <mattastic@discussions.microsoft.com> wrote:
>
up[vbcol=seagreen]
log[vbcol=seagreen]
>
> Enable basic authentication, remove anonymous access and add the
> intranet to the intranet zone in Internet Explorer.
>
> Jeff
>