iis security: Hi all. I have a problem that I'm not sure I understand. I have a web site
framework that is designed to support Windows Authentication, Forms
Authenticatio or Mixed. When logging off from Windows Authentication, the
framework redirects to a special page that allows Anonymous Access but does
not allow Windows Authentication. This special page then redirects to the
front page of the application. This front page permits Anonymous and Windows
Auth.

While the special page is accessed Anonymously, the next (front) page uses
Windows Auth again. This doesn't make sense to me, and I'm wondering what to
do about it. To make sure it's not the framework's bug, I wrong a simple
test app consisiting of 3 ASP.Net pages, with the following security config:

Test.Aspx - Allow Anonymous AND Windows Auth. Front page of applications.

Secure.Aspx - Allow Windows Auth, do NOT allow Anonymous. Page used to grab
user's Windows auth.

NotSecure.Aspx. - Allow Anonymous, do NOT allow Windows Auth. Page used to
'log out'.


In this test scenario, Test.Aspx redirects to Secure.Aspx, and then back to
Test.Aspx. When I click 'Logout', I am redirected to NotSecure.Aspx, and
then back to Test.Aspx.

Any idea of why this happens, and how I can work around it?

Thanks in advance.

Here's a sample of the IIS Log file:


04:15:45 - GET /TestSecurity/Test.aspx - 302 -
04:15:45 - GET /TestSecurity/Secure.aspx - 401
04:15:45 Domain\UserName GET /TestSecurity/Secure.aspx - 302
04:15:45 Domain\UserName GET /TestSecurity/Test.aspx Stage=Logon 200
04:15:49 Domain\UserName POST /TestSecurity/Test.aspx Stage=Logon 302
04:15:49 - GET /TestSecurity/NotSecure.aspx - 302 04:15:49 Domain\UserName

Once authenticated, IE will continue sending the user's credentials until
either:
a) the process is shut down (iexplorer.exe or whatever)
b) the server rejects the credentials (in which case IE will prompt the user
for new credentials)

How can you get around this to accomplish what you want? Your options are
listed here:
http://www.adopenstatic.com/cs/blogs/ken/archive/2005/04/12/14.aspx
Clearing IE's credential cache

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


[quoted text, click to view]
: Hi all. I have a problem that I'm not sure I understand. I have a web
site
: framework that is designed to support Windows Authentication, Forms
: Authenticatio or Mixed. When logging off from Windows Authentication, the
: framework redirects to a special page that allows Anonymous Access but
does
: not allow Windows Authentication. This special page then redirects to the
: front page of the application. This front page permits Anonymous and
Windows
: Auth.
:
: While the special page is accessed Anonymously, the next (front) page uses
: Windows Auth again. This doesn't make sense to me, and I'm wondering what
to
: do about it. To make sure it's not the framework's bug, I wrong a simple
: test app consisiting of 3 ASP.Net pages, with the following security
config:
:
: Test.Aspx - Allow Anonymous AND Windows Auth. Front page of applications.
:
: Secure.Aspx - Allow Windows Auth, do NOT allow Anonymous. Page used to
grab
: user's Windows auth.
:
: NotSecure.Aspx. - Allow Anonymous, do NOT allow Windows Auth. Page used
to
: 'log out'.
:
:
: In this test scenario, Test.Aspx redirects to Secure.Aspx, and then back
to
: Test.Aspx. When I click 'Logout', I am redirected to NotSecure.Aspx, and
: then back to Test.Aspx.
:
: Any idea of why this happens, and how I can work around it?
:
: Thanks in advance.
:
: Here's a sample of the IIS Log file:
:
:
: 04:15:45 - GET /TestSecurity/Test.aspx - 302 -
: 04:15:45 - GET /TestSecurity/Secure.aspx - 401
: 04:15:45 Domain\UserName GET /TestSecurity/Secure.aspx - 302
: 04:15:45 Domain\UserName GET /TestSecurity/Test.aspx Stage=Logon 200
: 04:15:49 Domain\UserName POST /TestSecurity/Test.aspx Stage=Logon 302
: 04:15:49 - GET /TestSecurity/NotSecure.aspx - 302 04:15:49 Domain\UserName
: GET /TestSecurity/Test.aspx Stage=Logoff 200