Can IIS force the client to change authentication credential? -- iis security

Viba Fima
2/20/2004 12:07:45 AM

Hi all,
As we all know, the HTTP protocol does not define a mechanism for the server
to ask the client side to clear the credential previously established
through Basic Authentication. An internal convoluted workaround that we have
been using is to have the server redirects the browser to web page that
includes a client-side Javascript code which does a:
window.location.href = http://logoffusername:logoffpassword@logoffpage.asp
The end result is that the browser now has the credential of the internally
well-known logoffusername, instead of the original user's credential.
However this has stopped working after we did an IE upgrade since this
username:password@url syntax is not supported by default anymore. (Thanks
Ken for helping with this.)

My question is there another way for IIS to force a new credential to the
browser? I checked my ASP books but could not find any field in the Response
object to do this.

Thanks for any help,
Krup Nugent

Tom Kaminski [MVP]
2/20/2004 8:41:48 AM

[quoted text, click to view]

No - but you could try this:
http://support.microsoft.com/?kbid=195192

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserver2003/community/centers/iis/

iis security : Can IIS force the client to change authentication credential?