I am writing a web app that uses windows authentication. I have a logout
button in the app that abandons session and returns the user to the main page
of the application. I would like to force the user to provide their windows
credentials again if they choose to reenter the application.

Is there a way to invalidate the security principal that IIS has established
from within the application?

Thanks,
Dave

The user credentials are being cached by the client browser, not by IIS.  To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider.  When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials.  When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login.  If you're expecting the same credentials, then
user confusion should be anticipated.

All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate...



Show quoteHide quote

ClientCertificates and IIS5 with https://localhost
X.509 certificates and httpwebrequest
Problem with RSACryptoServiceProvider ( incorrect usage of public-private keys ? )
Changing folder security
RE: Designtime licenses, I just don't get it
Custom principles and DnsPermission.Demand()
Sharing Application and Session scope with ASP in IIS6
HELP Security in .Net framework
Decoding extended ascii base64 string
Need only execute rights for web app. Did I set this up right?