|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Basic auth without dialog - no databaseOur site (IIS on W2K) security uses Basic Authentication with SSL. We
now have a request from our parent company to allow users authenticated on their site to have access to protected areas of our site without popping up the authentication dialog again. Is there any way to do this without changing our website too much (i.e. adding one asp that does some magic would be great). I realize that once the browser has been asked to provide userid/password it resends them for each request to the same domain. Is there anyway of tricking the browser into sending a userid/password without having it display the authentication dialog? Thanks in advance. Brian <bsch***@rogers.com> wrote in message
news:1121706147.570052.315390@g47g2000cwa.googlegroups.com... You could use Windows Integrated authentication, but that's really only best > Our site (IIS on W2K) security uses Basic Authentication with SSL. We > now have a request from our parent company to allow users authenticated > on their site to have access to protected areas of our site without > popping up the authentication dialog again. > > Is there any way to do this without changing our website too much (i.e. > adding one asp that does some magic would be great). I realize that > once the browser has been asked to provide userid/password it resends > them for each request to the same domain. Is there anyway of tricking > the browser into sending a userid/password without having it display > the authentication dialog? suited for intranet use. Outside of that, you would have to custom code your own authentication scheme, perhaps using a cookie stored on the client. -- Tom Kaminski IIS MVP http://www.microsoft.com/windowsserver2003/community/centers/iis/ http://mvp.support.microsoft.com/ http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS Depends on whether you care about security or not. This sort of "single sign
of" request is pretty frequent, so please read my blog entry about how it works and what is going on. http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO_ISAPI_Considerations_2.aspx I realize that security and authentication looks so simple to humans, but in reality, it is not that simple. The very things you want to do frequently also allow bad guys to totally destroy you -- and computers cannot distinguish between the good and bad guys -- so it must be black-and-white, at which point the human requirement doesn't look so simple anymore. The basic problem is this: Your parent company wants users authenticated on their site to have access to protected areas of your site without authentication dialog popping up -- very reasonable request -- but you have to look at things from a security perspective (because humans are inherently insecure -- if you don't believe it, just look at all the real-world issues we have with "Security" right now for examples). Some of the obvious problems are: 1. are users of the parent company considered users of your website. In other words, are the user identities inside of one user domain or multiple user domains 2. If different domains, then what is the trust relationship between them 3. If there is no trust relationship between them, then why should your website trust the authenticated user of someone else? The only secure way to have what you are asking for is if all parties involved are using the same security protocol and use the same user domain. Anything else is basically insecure because some third-party code has to perform a benign "man-in-the-middle" security attack to hack user credentials from one domain into the other. Period. No software can get around this fundamental trust issue as far as security is concerned. Thus, I ask you about the importance of security, because insecure solutions can easily be written to perform benign man-in-the-middle attack all the time. The question is whether you are ok to run that insecure solution. > I realize that once the browser has been asked Not correct. Only Basic authentication works like this, and it is very poor> to provide userid/password it resends them for > each request to the same domain. security indeed. > Is there anyway of tricking the browser into FYI: this is not possible. It is called a security vulnerability in the> sending a userid/password without having it display > the authentication dialog? browser. This would allow malicious websites or man-in-the-middle network sniffers to steal userid/password from the user. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // <bsch***@rogers.com> wrote in message news:1121706147.570052.315390@g47g2000cwa.googlegroups.com... Our site (IIS on W2K) security uses Basic Authentication with SSL. Wenow have a request from our parent company to allow users authenticated on their site to have access to protected areas of our site without popping up the authentication dialog again. Is there any way to do this without changing our website too much (i.e. adding one asp that does some magic would be great). I realize that once the browser has been asked to provide userid/password it resends them for each request to the same domain. Is there anyway of tricking the browser into sending a userid/password without having it display the authentication dialog? Thanks in advance. Brian 
Other interesting topics
Integrated Authenticatoin - Default to the main domain
IIS authentification with a ASP Application on a SAMBA host IIS6 NT Authentication fails http to https redirect problem SSL Issue - Urgent IIS 5 - Integrated Windows Authentication Issues How to create a Client certificate secure ftp firewall suggestions? Not authorized to view page IIS5 |
|||||||||||||||||||||||
