|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
integrated vs basicfirst time in the IIS group so forgive me if I get this wrong. I am trying to understand authentication. I know that if I set up a web site to use only integrated and then put it behind a firewall so integrated doesn't work that it will default to using basic. Are there any issues with allowing this to happen? Should I have a separate virtual site that only uses basic auth (with SSL of course) and point people who are infront of the firewall to that site? Does this make sense? I design portal server farms all the time and I can never answer this question intelligently. Maybe someone who understands IIS can? Even if you can just point me on a white paper or book to read on the topic I would appreciate it. Thanks! -- Shane Young http://www.lucruminc.com I will be presenting at SharePoint Advisor Live! Stop by and say hello. I will also be at the http://www.SharePointSolutions.com booth Hi,
Integrated Windows Authentication (IWA) actually involves two separate authentication mechanisms. If you have a look at what IIS returns in response to the initial anonymous request, you will see: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM The first (negotiate) currently means Kerberos, and the second means NTLM. Kerberos doesn't work through most firewalls because in order to use Kerberos Authentication the client needs to get a Kerberos Service Ticket from the KDC (Key Distribution Center). The KDC is hosted on DCs in a Windows Active Directory environment, and generally firewalls block access to DCs from PCs on the wider internet. Now, just because there's a firewall between the IIS box and the browser doesn't mean that the browser automatically chooses Basic instead. The browser has no knowledge of the firewall. It'll pick the first authentication mechanism that itsupports, and use that. If Kerberos is first, and the browser can't contact the KDC, then authentication willl fail. Now IE does have some smarts built in. If the site is in the Internet security zone, Kerberos auth will not be attempted, and IE will use the next presented authentication mechanism (NTLM). NTLM works through most firewalls (but doesn't work through most proxy servers). For more information, you might want to have a look at this PDF, which is chapter from the IIS6 Security book that Bernard Cheah and myself wrote: http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf In answer to your question, I would consider using Basic + SSL for external clients. Basic is the most widely supported authentication mechanism, and works through firewalls and proxy servers. Alternatively, you can use Digest Auth instead, which is more secure (see above link for details). That said, be aware, that neither Basic nor Digest is delegatable (though Windows 2003 does support something called "protocol transition" that can help you get around this) - only Kerberos is natively. Cheers Ken Show quoteHide quote "Shane Young" <syoung at lucruminc dot com> wrote in message news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl... : Hello. I am a regular in the SharePoint Portal Server NG but this is my : first time in the IIS group so forgive me if I get this wrong. : : I am trying to understand authentication. I know that if I set up a web : site to use only integrated and then put it behind a firewall so integrated : doesn't work that it will default to using basic. Are there any issues with : allowing this to happen? Should I have a separate virtual site that only : uses basic auth (with SSL of course) and point people who are infront of the : firewall to that site? Does this make sense? I design portal server farms : all the time and I can never answer this question intelligently. Maybe : someone who understands IIS can? Even if you can just point me on a white : paper or book to read on the topic I would appreciate it. : : Thanks! : : -- : Shane Young : http://www.lucruminc.com : : I will be presenting at SharePoint Advisor Live! : Stop by and say hello. I will also be at the : http://www.SharePointSolutions.com booth : : : Thank you for you response. :)
So if I read your message and the PDF correctly this is what is happening. I create an IIS site http://mysite and only set it up to use integrated authentication I am doing no proxying I access the site from the internet Since my browser is not passing any username/password I get a logon box This logon box is still using IWA? Not basic? If that is correct can you just respond with a yep? I appreciate this. You have made things incredibly clearer. -- Show quoteHide quoteShane Young http://www.lucruminc.com I will be presenting at SharePoint Advisor Live! Stop by and say hello. I will also be at the http://www.SharePointSolutions.com booth "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message news:uwIMQoDbFHA.2996@TK2MSFTNGP10.phx.gbl... > Hi, > > Integrated Windows Authentication (IWA) actually involves two separate > authentication mechanisms. If you have a look at what IIS returns in > response to the initial anonymous request, you will see: > WWW-Authenticate: Negotiate > WWW-Authenticate: NTLM > > The first (negotiate) currently means Kerberos, and the second means NTLM. > Kerberos doesn't work through most firewalls because in order to use > Kerberos Authentication the client needs to get a Kerberos Service Ticket > from the KDC (Key Distribution Center). The KDC is hosted on DCs in a > Windows Active Directory environment, and generally firewalls block access > to DCs from PCs on the wider internet. > > Now, just because there's a firewall between the IIS box and the browser > doesn't mean that the browser automatically chooses Basic instead. The > browser has no knowledge of the firewall. It'll pick the first > authentication mechanism that itsupports, and use that. If Kerberos is > first, and the browser can't contact the KDC, then authentication willl > fail. Now IE does have some smarts built in. If the site is in the > Internet > security zone, Kerberos auth will not be attempted, and IE will use the > next > presented authentication mechanism (NTLM). NTLM works through most > firewalls > (but doesn't work through most proxy servers). > > For more information, you might want to have a look at this PDF, which is > chapter from the IIS6 Security book that Bernard Cheah and myself wrote: > http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf > > In answer to your question, I would consider using Basic + SSL for > external > clients. Basic is the most widely supported authentication mechanism, and > works through firewalls and proxy servers. Alternatively, you can use > Digest > Auth instead, which is more secure (see above link for details). That > said, > be aware, that neither Basic nor Digest is delegatable (though Windows > 2003 > does support something called "protocol transition" that can help you get > around this) - only Kerberos is natively. > > Cheers > Ken > > -- > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Shane Young" <syoung at lucruminc dot com> wrote in message > news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl... > : Hello. I am a regular in the SharePoint Portal Server NG but this is my > : first time in the IIS group so forgive me if I get this wrong. > : > : I am trying to understand authentication. I know that if I set up a web > : site to use only integrated and then put it behind a firewall so > integrated > : doesn't work that it will default to using basic. Are there any issues > with > : allowing this to happen? Should I have a separate virtual site that > only > : uses basic auth (with SSL of course) and point people who are infront of > the > : firewall to that site? Does this make sense? I design portal server > farms > : all the time and I can never answer this question intelligently. Maybe > : someone who understands IIS can? Even if you can just point me on a > white > : paper or book to read on the topic I would appreciate it. > : > : Thanks! > : > : -- > : Shane Young > : http://www.lucruminc.com > : > : I will be presenting at SharePoint Advisor Live! > : Stop by and say hello. I will also be at the > : http://www.SharePointSolutions.com booth > : > : > : > > Yes, I believe so.
Here's a good write up that very clearly underlines some things I was going to say: http://www.microsoft.com/windows2000/en/server/iis/htm/core/iiabasc.htm "Integrated Windows authentication proceeds as follows: Unlike Basic authentication, it does not initially prompt users for a user name and password. The current Windows user information on the client computer is used for the integrated Windows authentication. Note Internet Explorer, version 4.0 and later, can be configured to initially prompt for user information if needed. For more information, see the Internet Explorer documentation. However, if the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password, which it will process by using integrated Windows authentication. Internet Explorer will continue to prompt the user until the user enters a valid user name and password, or closes the prompt dialog box. Although integrated Windows authentication is secure, it does have two limitations. Only Microsoft Internet Explorer, version 2.0 or later, supports this authentication method. Integrated Windows authentication does not work over HTTP Proxy connections. Therefore, integrated Windows authentication is best suited for an intranet environment, where both user and Web server computers are in the same domain, and where administrators can ensure that every user has Microsoft Internet Explorer, version 2.0 or later." One thing: The above write up states that Integrated windows authentication is secure. This is simply not true. I feel the author must have known this is not true. If you don't use HTTPS encryption, and you don't use Kerberos, then the authentication is not necessarily secure, and is probably not secure by default. The article erroneously claims that "Integrated Windows authentication (formerly called NTLM or Windows NT Challenge/Response authentication) is a secure form of authentication because the user name and password are not sent across the network. When you enable integrated Windows authentication, the user's browser proves its knowledge of the password through a cryptographic exchange with your Web server, involving hashing." Show quoteHide quote "Shane Young" <syoung at lucruminc dot com> wrote in message news:e1xrE0DbFHA.2668@TK2MSFTNGP12.phx.gbl... > Thank you for you response. :) > > So if I read your message and the PDF correctly this is what is happening. > > I create an IIS site http://mysite and only set it up to use integrated > authentication > I am doing no proxying > I access the site from the internet > Since my browser is not passing any username/password I get a logon box > This logon box is still using IWA? Not basic? > > If that is correct can you just respond with a yep? > > I appreciate this. You have made things incredibly clearer. > > -- > Shane Young > http://www.lucruminc.com > > I will be presenting at SharePoint Advisor Live! > Stop by and say hello. I will also be at the > http://www.SharePointSolutions.com booth > > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message > news:uwIMQoDbFHA.2996@TK2MSFTNGP10.phx.gbl... > > Hi, > > > > Integrated Windows Authentication (IWA) actually involves two separate > > authentication mechanisms. If you have a look at what IIS returns in > > response to the initial anonymous request, you will see: > > WWW-Authenticate: Negotiate > > WWW-Authenticate: NTLM > > > > The first (negotiate) currently means Kerberos, and the second means NTLM. > > Kerberos doesn't work through most firewalls because in order to use > > Kerberos Authentication the client needs to get a Kerberos Service Ticket > > from the KDC (Key Distribution Center). The KDC is hosted on DCs in a > > Windows Active Directory environment, and generally firewalls block access > > to DCs from PCs on the wider internet. > > > > Now, just because there's a firewall between the IIS box and the browser > > doesn't mean that the browser automatically chooses Basic instead. The > > browser has no knowledge of the firewall. It'll pick the first > > authentication mechanism that itsupports, and use that. If Kerberos is > > first, and the browser can't contact the KDC, then authentication willl > > fail. Now IE does have some smarts built in. If the site is in the > > Internet > > security zone, Kerberos auth will not be attempted, and IE will use the > > next > > presented authentication mechanism (NTLM). NTLM works through most > > firewalls > > (but doesn't work through most proxy servers). > > > > For more information, you might want to have a look at this PDF, which is > > chapter from the IIS6 Security book that Bernard Cheah and myself wrote: > > http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf > > > > In answer to your question, I would consider using Basic + SSL for > > external > > clients. Basic is the most widely supported authentication mechanism, and > > works through firewalls and proxy servers. Alternatively, you can use > > Digest > > Auth instead, which is more secure (see above link for details). That > > said, > > be aware, that neither Basic nor Digest is delegatable (though Windows > > 2003 > > does support something called "protocol transition" that can help you get > > around this) - only Kerberos is natively. > > > > Cheers > > Ken > > > > -- > > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ > > Web: www.adopenstatic.com > > > > > > "Shane Young" <syoung at lucruminc dot com> wrote in message > > news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl... > > : Hello. I am a regular in the SharePoint Portal Server NG but this is my > > : first time in the IIS group so forgive me if I get this wrong. > > : > > : I am trying to understand authentication. I know that if I set up a web > > : site to use only integrated and then put it behind a firewall so > > integrated > > : doesn't work that it will default to using basic. Are there any issues > > with > > : allowing this to happen? Should I have a separate virtual site that > > only > > : uses basic auth (with SSL of course) and point people who are infront of > > the > > : firewall to that site? Does this make sense? I design portal server > > farms > > : all the time and I can never answer this question intelligently. Maybe > > : someone who understands IIS can? Even if you can just point me on a > > white > > : paper or book to read on the topic I would appreciate it. > > : > > : Thanks! > > : > > : -- > > : Shane Young > > : http://www.lucruminc.com > > : > > : I will be presenting at SharePoint Advisor Live! > > : Stop by and say hello. I will also be at the > > : http://www.SharePointSolutions.com booth > > : > > : > > : > > > > > > The answer is "yes"
The reason you might not see a logon dialogue box when you access the site when on your local LAN is that when IE thinks the site is in the local Intranet zone, it will attempt to authenticate with the current user's credentials transparently, and only pop-up a box if those credentials are not acceptable to the server. When the site is in the Internet zone, the user will always be prompted. See: http://support.microsoft.com/?id=258063 Cheers Ken Show quoteHide quote "Shane Young" <syoung at lucruminc dot com> wrote in message news:e1xrE0DbFHA.2668@TK2MSFTNGP12.phx.gbl... : Thank you for you response. :) : : So if I read your message and the PDF correctly this is what is happening. : : I create an IIS site http://mysite and only set it up to use integrated : authentication : I am doing no proxying : I access the site from the internet : Since my browser is not passing any username/password I get a logon box : This logon box is still using IWA? Not basic? : : If that is correct can you just respond with a yep? : : I appreciate this. You have made things incredibly clearer. : : -- : Shane Young : http://www.lucruminc.com : : I will be presenting at SharePoint Advisor Live! : Stop by and say hello. I will also be at the : http://www.SharePointSolutions.com booth : : : "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message : news:uwIMQoDbFHA.2996@TK2MSFTNGP10.phx.gbl... : > Hi, : > : > Integrated Windows Authentication (IWA) actually involves two separate : > authentication mechanisms. If you have a look at what IIS returns in : > response to the initial anonymous request, you will see: : > WWW-Authenticate: Negotiate : > WWW-Authenticate: NTLM : > : > The first (negotiate) currently means Kerberos, and the second means NTLM. : > Kerberos doesn't work through most firewalls because in order to use : > Kerberos Authentication the client needs to get a Kerberos Service Ticket : > from the KDC (Key Distribution Center). The KDC is hosted on DCs in a : > Windows Active Directory environment, and generally firewalls block access : > to DCs from PCs on the wider internet. : > : > Now, just because there's a firewall between the IIS box and the browser : > doesn't mean that the browser automatically chooses Basic instead. The : > browser has no knowledge of the firewall. It'll pick the first : > authentication mechanism that itsupports, and use that. If Kerberos is : > first, and the browser can't contact the KDC, then authentication willl : > fail. Now IE does have some smarts built in. If the site is in the : > Internet : > security zone, Kerberos auth will not be attempted, and IE will use the : > next : > presented authentication mechanism (NTLM). NTLM works through most : > firewalls : > (but doesn't work through most proxy servers). : > : > For more information, you might want to have a look at this PDF, which is : > chapter from the IIS6 Security book that Bernard Cheah and myself wrote: : > http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf : > : > In answer to your question, I would consider using Basic + SSL for : > external : > clients. Basic is the most widely supported authentication mechanism, and : > works through firewalls and proxy servers. Alternatively, you can use : > Digest : > Auth instead, which is more secure (see above link for details). That : > said, : > be aware, that neither Basic nor Digest is delegatable (though Windows : > 2003 : > does support something called "protocol transition" that can help you get : > around this) - only Kerberos is natively. : > : > Cheers : > Ken : > : > -- : > IIS Blog: www.adopenstatic.com/cs/blogs/ken/ : > Web: www.adopenstatic.com : > : > : > "Shane Young" <syoung at lucruminc dot com> wrote in message : > news:uDfa3hDbFHA.580@TK2MSFTNGP15.phx.gbl... : > : Hello. I am a regular in the SharePoint Portal Server NG but this is my : > : first time in the IIS group so forgive me if I get this wrong. : > : : > : I am trying to understand authentication. I know that if I set up a web : > : site to use only integrated and then put it behind a firewall so : > integrated : > : doesn't work that it will default to using basic. Are there any issues : > with : > : allowing this to happen? Should I have a separate virtual site that : > only : > : uses basic auth (with SSL of course) and point people who are infront of : > the : > : firewall to that site? Does this make sense? I design portal server : > farms : > : all the time and I can never answer this question intelligently. Maybe : > : someone who understands IIS can? Even if you can just point me on a : > white : > : paper or book to read on the topic I would appreciate it. : > : : > : Thanks! : > : : > : -- : > : Shane Young : > : http://www.lucruminc.com : > : : > : I will be presenting at SharePoint Advisor Live! : > : Stop by and say hello. I will also be at the : > : http://www.SharePointSolutions.com booth : > : : > : : > : : > : > : : 
Thread options
Other interesting topics
ASP.NET app permissions
Secure website (cookie/session) secure site - multiple users w/ 1 user account? Passing User Credentials to site running under Integrated Security Logging into website - remove log in box Anonymous access not working IIS 6 and % characters in a URL Making unique URL - internal and external Your opinion on SSL and common URL to access site from internal and external Server attack - info please? |
|||||||||||||||||||||||
