IIS Server Security - Basic Authentication

Author

Basic Authentication

R.John

2007-02-10, 7:22 am

I have IIS server in my network domain. My web application is accessible by
all the users in the domain. All users must logon to the domain/active
directory. What I am trying to achieve is to capture user id used to logon
to the active directory whenever a user access the web application in the
IIS. This is possible by enabling basic authentication in IIS but it will
prompt user to enter his/her credential (something that I am trying to
avoid). Is there any other way I can achieve this ? Thanks.

Marcelo Villalón

2007-02-12, 1:17 pm

Hi R.John

If you are using IE as browser the solution is that the webserver can be
recognized in the Local intranet zone, when this happen IE send the
credentials to IIS without prompting for it. In this case you can use basic
authentication

So, in IE internet options->Security->Sites->Advanced->Add the webserver to
the list. You can do this throught Domain Policy or GPO.

Hope thats help
Marcelo V., CISSP, Security+

"R.John" <annonymous@microsot.com> wrote in message
news:urDjnrQTHHA.2212@TK2MSFTNGP02.phx.gbl...
> I have IIS server in my network domain. My web application is accessible
by
> all the users in the domain. All users must logon to the domain/active
> directory. What I am trying to achieve is to capture user id used to logon
> to the active directory whenever a user access the web application in the
> IIS. This is possible by enabling basic authentication in IIS but it will
> prompt user to enter his/her credential (something that I am trying to
> avoid). Is there any other way I can achieve this ? Thanks.
>
>

David Wang

2007-02-12, 7:28 pm

On Feb 10, 4:04 am, "R.John" <annonym...@microsot.com> wrote:
> I have IIS server in my network domain. My web application is accessible by
> all the users in the domain. All users must logon to the domain/active
> directory. What I am trying to achieve is to capture user id used to logon
> to the active directory whenever a user access the web application in the
> IIS. This is possible by enabling basic authentication in IIS but it will
> prompt user to enter his/her credential (something that I am trying to
> avoid). Is there any other way I can achieve this ? Thanks.

You can enable Integrated Authentication and make sure that the
browser auto-authenticates to the web server. If you have a domain, I
would refrain from using Basic authentication because it is inferior
in all possible ways (including functional AND security) vs.
Integrated Authentication (Kerberos).

With IE, you should set the webserver's name as part of the "Local
Intranet" zone and make sure that zone auto-logins (it's a radio-
button group at the bottom of the Zone's Security Settings).

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Ken Schaefer

2007-02-14, 1:28 am

IE does not (by default( send credentials automatically when Basic
Authentication is used, even if the site is in the Intranet zone. It would
be too easy for a malicious employee to set up a website and require
authentication, and the malicious employee could harvest usernames/passwords
from users.

See:
http://support.microsoft.com/?id=258063

Cheers
Ken

"Marcelo Villalón" <mvillalon@ti.bdd.cl> wrote in message
news:eytYNBtTHHA.4188@TK2MSFTNGP06.phx.gbl...
> Hi R.John
>
> If you are using IE as browser the solution is that the webserver can be
> recognized in the Local intranet zone, when this happen IE send the
> credentials to IIS without prompting for it. In this case you can use
> basic
> authentication
>
> So, in IE internet options->Security->Sites->Advanced->Add the webserver
> to
> the list. You can do this throught Domain Policy or GPO.
>
> Hope thats help
> Marcelo V., CISSP, Security+
>
>
> "R.John" <annonymous@microsot.com> wrote in message
> news:urDjnrQTHHA.2212@TK2MSFTNGP02.phx.gbl...
> by
>
>