|
Home > Archive > IIS Server Security > April 2007 > How to pass user credentials to IE
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to pass user credentials to IE
|
|
| kanes@ims.com.au 2007-04-13, 7:16 am |
| Hi,
My application needs to call a IIS web based application that requires
Windows based authentication. The user credentials that our
application will use is not the same as the user logged onto the
workstation. When calling the web page, IE prompts for a user ID and
password. I would like to know how I can pass the user credentials to
IE to avoid the browser prompt. My application is a Windows client
application.
Thanks
| |
| David Wang 2007-04-13, 7:17 pm |
| No longer possible for IE to automatically pass server-configured
username:password back to the server. That was deemed a security
vulnerability a few years ago and disallowed on IE with a security
patch and RegKey control.
You can try creating a vdir pointing to your Web application on IIS
with only Anonymous authentication enabled and set the Anonymous user
to be the specific user credential your application needs. Then make
your application call this vdir instead. This allows any anonymous
user to access your Web application, which may/not be what you want.
Basically, you need a custom "many-to-one" authentication mapping, and
since IIS does not come with any modules supporting it by default (but
it can and has been built by others), you have to implement it
somewhere on IIS. IIS only supports any-to-one (Anonymous) and one-to-
one (all other authentication protocols).
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Apr 13, 1:15 am, k...@ims.com.au wrote:
> Hi,
>
> My application needs to call a IIS web based application that requires
> Windows based authentication. The user credentials that our
> application will use is not the same as the user logged onto the
> workstation. When calling the web page, IE prompts for a user ID and
> password. I would like to know how I can pass the user credentials to
> IE to avoid the browser prompt. My application is a Windows client
> application.
>
> Thanks
| |
| kanes@ims.com.au 2007-04-16, 1:19 am |
| On Apr 14, 6:43 am, "David Wang" <w3.4...@gmail.com> wrote:
> No longer possible for IE to automatically pass server-configured
> username:password back to the server. That was deemed a security
> vulnerability a few years ago and disallowed on IE with a security
> patch and RegKey control.
>
> You can try creating a vdir pointing to your Web application on IIS
> with only Anonymous authentication enabled and set the Anonymous user
> to be the specific user credential your application needs. Then make
> your application call this vdir instead. This allows any anonymous
> user to access your Web application, which may/not be what you want.
>
> Basically, you need a custom "many-to-one" authentication mapping, and
> since IIS does not come with any modules supporting it by default (but
> it can and has been built by others), you have to implement it
> somewhere on IIS. IIS only supports any-to-one (Anonymous) and one-to-
> one (all other authentication protocols).
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David.Wang
> //
>
> On Apr 13, 1:15 am, k...@ims.com.au wrote:
>
>
>
>
>
>
> - Show quoted text -
Thanks David,
My problem is the web application that I need to logon to is a third
party application which I don't have control over it. The credentials
are provided by the users and I just use it to logon to the web
application. Also the anonymous logon is not the way we want.
I thought it has been a few years now so there might be some way to
get around this.
Thanks anyway.
Kanes
| |
| David Wang 2007-04-16, 7:17 am |
| On Apr 15, 9:27 pm, k...@ims.com.au wrote:
> On Apr 14, 6:43 am, "David Wang" <w3.4...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Thanks David,
>
> My problem is the web application that I need to logon to is a third
> party application which I don't have control over it. The credentials
> are provided by the users and I just use it to logon to the web
> application. Also the anonymous logon is not the way we want.
>
> I thought it has been a few years now so there might be some way to
> get around this.
>
> Thanks anyway.
>
> Kanes- Hide quoted text -
>
> - Show quoted text -
It doesn't matter how long you wait. What you want is for the browser
to auto-authenticate with a user account of your choosing, and that
will likely never happen.
It used to be possible for the web application to pass
username:password on the URL, but that turned out to be a security
vulnerability as well.
In your situation, there is no way to avoid users having to type in
the additional password unless you have the application either accept
pass-thru authentication or do some sort of many-to-one mapping
yourself. It's just not secure to have it happen "automagically", so I
wouldn't hold my breath waiting.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
|
|
|
|
|