| K12-Jammer 2007-01-24, 1:16 pm |
| I am curiuos if anyone has a suggestion about the use of the metabase
property "DefaultLogonDomain" to accomplish the purposes of pointing the IIS
server to authenticate against the domain instead of the local machine
database.
--
Jim R
"K12-Jammer" wrote:
[vbcol=seagreen]
> Dear Ingenious (nice play on words there)
>
> First, thanks for your response. It addresses several key issues related to
> authentication and the key questions to ask/address when trying to do this
> thing.
> And, my apologies for not including the firewall/intranet/internet info. I
> thought about doing it and then the phone rang or something.
>
> FIREWALL QUESTION:
> I would like this to work both on the Intranet and Internet level. On the
> Intranet level, there would be no firewall between the IIS and the web
> client. On the Internet level there would be one. Note that there is no
> firewall between the IIS and the Domain Controller as we are using a
> one-to-one NAT for external port 80 traffic which directs Internet requests
> to the web server. This was the recommended config by our firewall vendor
> (Watchguard).
>
> Currently, the Integrated Windows Authentication works identically whether
> inside or outside our network. I believe that this is because the IIS and
> the Active Directory are in the same network.
>
> The only downside is what is considered to be the "strange username format."
>
> DIGEST vs BASIC AUTHENTICATION MODES
> Let me start by throwing out BASIC as I don't want the clear text
> transmittal of passwords. So then, I jump headlong into a vast pool of my
> own ignorance with regard to DIGEST mode. From my readings I see that it
> requires a ?reverse hash of the encrypted password? to be stored in
> something. That whole phraseology made me a bit concerned that I was opening
> up a security hole.
>
> My apologies for not being better informed on the realities of all that is
> related to Digest mode. The reality is that we are fearful of what we don't
> understand. So at the moment I am fearful of Digest mode (though perhaps my
> fear is misplaced).
>
> I did try briefly to enable digest mode on my test box in my domain and did
> not have success. I assume that this was because I did not reset my password
> thus enabling the reverse-hash-whatevering to occur.
>
> CONCLUSION:
> The Digest mode would certainly allow me to set the default domain though I
> am still uncertain of the security impact of using it. Basic would also
> accomplish my objective but I am sure of the security impact of using clear
> text passwords over the Internet. I am still curious about the potential use
> of the DefaultLogonDomain property in the Metabase.
>
> Thanks again.
>
> --
> Jim R
>
>
> "Indigenous" wrote:
>
|