| K12-Jammer 2007-01-17, 1:17 pm |
| Dear Ingenious (nice play on words there)
First, thanks for your response. It addresses several key issues related to
authentication and the key questions to ask/address when trying to do this
thing.
And, my apologies for not including the firewall/intranet/internet info. I
thought about doing it and then the phone rang or something.
FIREWALL QUESTION:
I would like this to work both on the Intranet and Internet level. On the
Intranet level, there would be no firewall between the IIS and the web
client. On the Internet level there would be one. Note that there is no
firewall between the IIS and the Domain Controller as we are using a
one-to-one NAT for external port 80 traffic which directs Internet requests
to the web server. This was the recommended config by our firewall vendor
(Watchguard).
Currently, the Integrated Windows Authentication works identically whether
inside or outside our network. I believe that this is because the IIS and
the Active Directory are in the same network.
The only downside is what is considered to be the "strange username format."
DIGEST vs BASIC AUTHENTICATION MODES
Let me start by throwing out BASIC as I don't want the clear text
transmittal of passwords. So then, I jump headlong into a vast pool of my
own ignorance with regard to DIGEST mode. From my readings I see that it
requires a ?reverse hash of the encrypted password? to be stored in
something. That whole phraseology made me a bit concerned that I was opening
up a security hole.
My apologies for not being better informed on the realities of all that is
related to Digest mode. The reality is that we are fearful of what we don't
understand. So at the moment I am fearful of Digest mode (though perhaps my
fear is misplaced).
I did try briefly to enable digest mode on my test box in my domain and did
not have success. I assume that this was because I did not reset my password
thus enabling the reverse-hash-whatevering to occur.
CONCLUSION:
The Digest mode would certainly allow me to set the default domain though I
am still uncertain of the security impact of using it. Basic would also
accomplish my objective but I am sure of the security impact of using clear
text passwords over the Internet. I am still curious about the potential use
of the DefaultLogonDomain property in the Metabase.
Thanks again.
--
Jim R
"Indigenous" wrote:
[vbcol=seagreen]
> Jim
>
> Do you want to be prompted for a username and password or do you want
> automatic logon?
>
> If you want username password (as you suggest below) then I suggest you use
> Basic Authentication (or digest) rather than Integrated Windows. This being
> the case, you can then set the domain and realm to be you domain in the IIS
> admin console (on the security dialog under authentication type). If you do
> this, you won't need to enter the domain when prompted for credentials.
>
> You don't mention whether you site is internet extranet or intranet so I
> don't know whether you have any firewalls between you client and web server
> (ie and iis) but if you do then integrated windows auth won't work that well
> anyway.
>
> "Jim R" wrote:
>
|