|
Home > Archive > IIS Server Security > June 2005 > integrated vs basic
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
integrated vs basic
|
|
| Shane Young 2005-06-08, 5:57 pm |
| Hello. I am a regular in the SharePoint Portal Server NG but this is my
first time in the IIS group so forgive me if I get this wrong.
I am trying to understand authentication. I know that if I set up a web
site to use only integrated and then put it behind a firewall so integrated
doesn't work that it will default to using basic. Are there any issues with
allowing this to happen? Should I have a separate virtual site that only
uses basic auth (with SSL of course) and point people who are infront of the
firewall to that site? Does this make sense? I design portal server farms
all the time and I can never answer this question intelligently. Maybe
someone who understands IIS can? Even if you can just point me on a white
paper or book to read on the topic I would appreciate it.
Thanks!
--
Shane Young
http://www.lucruminc.com
I will be presenting at SharePoint Advisor Live!
Stop by and say hello. I will also be at the
http://www.SharePointSolutions.com booth
| |
| Ken Schaefer 2005-06-08, 5:57 pm |
| Hi,
Integrated Windows Authentication (IWA) actually involves two separate
authentication mechanisms. If you have a look at what IIS returns in
response to the initial anonymous request, you will see:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
The first (negotiate) currently means Kerberos, and the second means NTLM.
Kerberos doesn't work through most firewalls because in order to use
Kerberos Authentication the client needs to get a Kerberos Service Ticket
from the KDC (Key Distribution Center). The KDC is hosted on DCs in a
Windows Active Directory environment, and generally firewalls block access
to DCs from PCs on the wider internet.
Now, just because there's a firewall between the IIS box and the browser
doesn't mean that the browser automatically chooses Basic instead. The
browser has no knowledge of the firewall. It'll pick the first
authentication mechanism that itsupports, and use that. If Kerberos is
first, and the browser can't contact the KDC, then authentication willl
fail. Now IE does have some smarts built in. If the site is in the Internet
security zone, Kerberos auth will not be attempted, and IE will use the next
presented authentication mechanism (NTLM). NTLM works through most firewalls
(but doesn't work through most proxy servers).
For more information, you might want to have a look at this PDF, which is
chapter from the IIS6 Security book that Bernard Cheah and myself wrote:
http://www.adopenstatic.com/resourc...CYA_IIS6_05.pdf
In answer to your question, I would consider using Basic + SSL for external
clients. Basic is the most widely supported authentication mechanism, and
works through firewalls and proxy servers. Alternatively, you can use Digest
Auth instead, which is more secure (see above link for details). That said,
be aware, that neither Basic nor Digest is delegatable (though Windows 2003
does support something called "protocol transition" that can help you get
around this) - only Kerberos is natively.
Cheers
Ken
--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Shane Young" <syoung at lucruminc dot com> wrote in message
news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl...
: Hello. I am a regular in the SharePoint Portal Server NG but this is my
: first time in the IIS group so forgive me if I get this wrong.
:
: I am trying to understand authentication. I know that if I set up a web
: site to use only integrated and then put it behind a firewall so
integrated
: doesn't work that it will default to using basic. Are there any issues
with
: allowing this to happen? Should I have a separate virtual site that only
: uses basic auth (with SSL of course) and point people who are infront of
the
: firewall to that site? Does this make sense? I design portal server
farms
: all the time and I can never answer this question intelligently. Maybe
: someone who understands IIS can? Even if you can just point me on a white
: paper or book to read on the topic I would appreciate it.
:
: Thanks!
:
: --
: Shane Young
: http://www.lucruminc.com
:
: I will be presenting at SharePoint Advisor Live!
: Stop by and say hello. I will also be at the
: http://www.SharePointSolutions.com booth
:
:
:
| |
| Shane Young 2005-06-08, 5:57 pm |
| Thank you for you response. 
So if I read your message and the PDF correctly this is what is happening.
I create an IIS site http://mysite and only set it up to use integrated
authentication
I am doing no proxying
I access the site from the internet
Since my browser is not passing any username/password I get a logon box
This logon box is still using IWA? Not basic?
If that is correct can you just respond with a yep?
I appreciate this. You have made things incredibly clearer.
--
Shane Young
http://www.lucruminc.com
I will be presenting at SharePoint Advisor Live!
Stop by and say hello. I will also be at the
http://www.SharePointSolutions.com booth
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uwIMQoDbFHA.2996@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> Integrated Windows Authentication (IWA) actually involves two separate
> authentication mechanisms. If you have a look at what IIS returns in
> response to the initial anonymous request, you will see:
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
>
> The first (negotiate) currently means Kerberos, and the second means NTLM.
> Kerberos doesn't work through most firewalls because in order to use
> Kerberos Authentication the client needs to get a Kerberos Service Ticket
> from the KDC (Key Distribution Center). The KDC is hosted on DCs in a
> Windows Active Directory environment, and generally firewalls block access
> to DCs from PCs on the wider internet.
>
> Now, just because there's a firewall between the IIS box and the browser
> doesn't mean that the browser automatically chooses Basic instead. The
> browser has no knowledge of the firewall. It'll pick the first
> authentication mechanism that itsupports, and use that. If Kerberos is
> first, and the browser can't contact the KDC, then authentication willl
> fail. Now IE does have some smarts built in. If the site is in the
> Internet
> security zone, Kerberos auth will not be attempted, and IE will use the
> next
> presented authentication mechanism (NTLM). NTLM works through most
> firewalls
> (but doesn't work through most proxy servers).
>
> For more information, you might want to have a look at this PDF, which is
> chapter from the IIS6 Security book that Bernard Cheah and myself wrote:
> http://www.adopenstatic.com/resourc...CYA_IIS6_05.pdf
>
> In answer to your question, I would consider using Basic + SSL for
> external
> clients. Basic is the most widely supported authentication mechanism, and
> works through firewalls and proxy servers. Alternatively, you can use
> Digest
> Auth instead, which is more secure (see above link for details). That
> said,
> be aware, that neither Basic nor Digest is delegatable (though Windows
> 2003
> does support something called "protocol transition" that can help you get
> around this) - only Kerberos is natively.
>
> Cheers
> Ken
>
> --
> IIS Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Shane Young" <syoung at lucruminc dot com> wrote in message
> news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl...
> : Hello. I am a regular in the SharePoint Portal Server NG but this is my
> : first time in the IIS group so forgive me if I get this wrong.
> :
> : I am trying to understand authentication. I know that if I set up a web
> : site to use only integrated and then put it behind a firewall so
> integrated
> : doesn't work that it will default to using basic. Are there any issues
> with
> : allowing this to happen? Should I have a separate virtual site that
> only
> : uses basic auth (with SSL of course) and point people who are infront of
> the
> : firewall to that site? Does this make sense? I design portal server
> farms
> : all the time and I can never answer this question intelligently. Maybe
> : someone who understands IIS can? Even if you can just point me on a
> white
> : paper or book to read on the topic I would appreciate it.
> :
> : Thanks!
> :
> : --
> : Shane Young
> : http://www.lucruminc.com
> :
> : I will be presenting at SharePoint Advisor Live!
> : Stop by and say hello. I will also be at the
> : http://www.SharePointSolutions.com booth
> :
> :
> :
>
>
| |
| Karl Levinson, mvp 2005-06-08, 8:48 pm |
| Yes, I believe so.
Here's a good write up that very clearly underlines some things I was going
to say:
http://www.microsoft.com/windows200...ore/iiabasc.htm
"Integrated Windows authentication proceeds as follows:
Unlike Basic authentication, it does not initially prompt users for a user
name and password. The current Windows user information on the client
computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see
the Internet Explorer documentation.
However, if the authentication exchange initially fails to identify the
user, the browser will prompt the user for a Windows user account user name
and password, which it will process by using integrated Windows
authentication.
Internet Explorer will continue to prompt the user until the user enters a
valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.
Only Microsoft Internet Explorer, version 2.0 or later, supports this
authentication method.
Integrated Windows authentication does not work over HTTP Proxy connections.
Therefore, integrated Windows authentication is best suited for an intranet
environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft
Internet Explorer, version 2.0 or later."
One thing: The above write up states that Integrated windows authentication
is secure. This is simply not true. I feel the author must have known this
is not true. If you don't use HTTPS encryption, and you don't use Kerberos,
then the authentication is not necessarily secure, and is probably not
secure by default.
The article erroneously claims that "Integrated Windows authentication
(formerly called NTLM or Windows NT Challenge/Response authentication) is a
secure form of authentication because the user name and password are not
sent across the network. When you enable integrated Windows authentication,
the user's browser proves its knowledge of the password through a
cryptographic exchange with your Web server, involving hashing."
"Shane Young" <syoung at lucruminc dot com> wrote in message
news:e1xrE0DbFHA.2668@TK2MSFTNGP12.phx.gbl...
> Thank you for you response.
>
> So if I read your message and the PDF correctly this is what is happening.
>
> I create an IIS site http://mysite and only set it up to use integrated
> authentication
> I am doing no proxying
> I access the site from the internet
> Since my browser is not passing any username/password I get a logon box
> This logon box is still using IWA? Not basic?
>
> If that is correct can you just respond with a yep?
>
> I appreciate this. You have made things incredibly clearer.
>
> --
> Shane Young
> http://www.lucruminc.com
>
> I will be presenting at SharePoint Advisor Live!
> Stop by and say hello. I will also be at the
> http://www.SharePointSolutions.com booth
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:uwIMQoDbFHA.2996@TK2MSFTNGP10.phx.gbl...
NTLM.[vbcol=seagreen]
Ticket[vbcol=seagreen]
access[vbcol=seagreen]
is[vbcol=seagreen]
and[vbcol=seagreen]
get[vbcol=seagreen]
my[vbcol=seagreen]
web[vbcol=seagreen]
issues[vbcol=seagreen]
of[vbcol=seagreen]
Maybe[vbcol=seagreen]
>
>
| |
| Ken Schaefer 2005-06-08, 8:48 pm |
| The answer is "yes"
The reason you might not see a logon dialogue box when you access the site
when on your local LAN is that when IE thinks the site is in the local
Intranet zone, it will attempt to authenticate with the current user's
credentials transparently, and only pop-up a box if those credentials are
not acceptable to the server. When the site is in the Internet zone, the
user will always be prompted.
See:
http://support.microsoft.com/?id=258063
Cheers
Ken
--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Shane Young" <syoung at lucruminc dot com> wrote in message
news:e1xrE0DbFHA.2668@TK2MSFTNGP12.phx.gbl...
: Thank you for you response.
:
: So if I read your message and the PDF correctly this is what is happening.
:
: I create an IIS site http://mysite and only set it up to use integrated
: authentication
: I am doing no proxying
: I access the site from the internet
: Since my browser is not passing any username/password I get a logon box
: This logon box is still using IWA? Not basic?
:
: If that is correct can you just respond with a yep?
:
: I appreciate this. You have made things incredibly clearer.
:
: --
: Shane Young
: http://www.lucruminc.com
:
: I will be presenting at SharePoint Advisor Live!
: Stop by and say hello. I will also be at the
: http://www.SharePointSolutions.com booth
:
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:uwIMQoDbFHA.2996@TK2MSFTNGP10.phx.gbl...
: > Hi,
: >
: > Integrated Windows Authentication (IWA) actually involves two separate
: > authentication mechanisms. If you have a look at what IIS returns in
: > response to the initial anonymous request, you will see:
: > WWW-Authenticate: Negotiate
: > WWW-Authenticate: NTLM
: >
: > The first (negotiate) currently means Kerberos, and the second means
NTLM.
: > Kerberos doesn't work through most firewalls because in order to use
: > Kerberos Authentication the client needs to get a Kerberos Service
Ticket
: > from the KDC (Key Distribution Center). The KDC is hosted on DCs in a
: > Windows Active Directory environment, and generally firewalls block
access
: > to DCs from PCs on the wider internet.
: >
: > Now, just because there's a firewall between the IIS box and the browser
: > doesn't mean that the browser automatically chooses Basic instead. The
: > browser has no knowledge of the firewall. It'll pick the first
: > authentication mechanism that itsupports, and use that. If Kerberos is
: > first, and the browser can't contact the KDC, then authentication willl
: > fail. Now IE does have some smarts built in. If the site is in the
: > Internet
: > security zone, Kerberos auth will not be attempted, and IE will use the
: > next
: > presented authentication mechanism (NTLM). NTLM works through most
: > firewalls
: > (but doesn't work through most proxy servers).
: >
: > For more information, you might want to have a look at this PDF, which
is
: > chapter from the IIS6 Security book that Bernard Cheah and myself wrote:
: > http://www.adopenstatic.com/resourc...CYA_IIS6_05.pdf
: >
: > In answer to your question, I would consider using Basic + SSL for
: > external
: > clients. Basic is the most widely supported authentication mechanism,
and
: > works through firewalls and proxy servers. Alternatively, you can use
: > Digest
: > Auth instead, which is more secure (see above link for details). That
: > said,
: > be aware, that neither Basic nor Digest is delegatable (though Windows
: > 2003
: > does support something called "protocol transition" that can help you
get
: > around this) - only Kerberos is natively.
: >
: > Cheers
: > Ken
: >
: > --
: > IIS Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "Shane Young" <syoung at lucruminc dot com> wrote in message
: > news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl...
: > : Hello. I am a regular in the SharePoint Portal Server NG but this is
my
: > : first time in the IIS group so forgive me if I get this wrong.
: > :
: > : I am trying to understand authentication. I know that if I set up a
web
: > : site to use only integrated and then put it behind a firewall so
: > integrated
: > : doesn't work that it will default to using basic. Are there any
issues
: > with
: > : allowing this to happen? Should I have a separate virtual site that
: > only
: > : uses basic auth (with SSL of course) and point people who are infront
of
: > the
: > : firewall to that site? Does this make sense? I design portal server
: > farms
: > : all the time and I can never answer this question intelligently.
Maybe
: > : someone who understands IIS can? Even if you can just point me on a
: > white
: > : paper or book to read on the topic I would appreciate it.
: > :
: > : Thanks!
: > :
: > : --
: > : Shane Young
: > : http://www.lucruminc.com
: > :
: > : I will be presenting at SharePoint Advisor Live!
: > : Stop by and say hello. I will also be at the
: > : http://www.SharePointSolutions.com booth
: > :
: > :
: > :
: >
: >
:
:
|
|
|
|
|