all groups > iis security > march 2008 >
You're in the

iis security

group:

Integrated Windows Authentication


Integrated Windows Authentication vx
3/20/2008 12:15:00 AM
iis security:
The user and the server running IIS are members of, or are trusted by, the
same domain.
And IIS configed to use Integrated Windows Authentication.
Does Internet Explorer prompt the user for credentials (user name and
password) ,and use NTLM Authentication, When

user access the website using IP Address in an LAN?

register a SPN:
setspn –A http/<ipaddress> <application pool Account>
now,does Internet Explore use Kerberos Authentication?

Re: Integrated Windows Authentication vx
3/21/2008 11:07:01 AM
http://support.microsoft.com/kb/258063
This article does not refer to Kerberos Authentication
Re: Integrated Windows Authentication Ken Schaefer
3/21/2008 2:37:57 PM
Hi,

Registering an SPN isn't the issue here. The issue is that when Internet
Explorer see an address http://IPaddress it does not attempt Kerberos
authentication. This is because it believes that the site is located in the
Internet security zone. internet explorer only attempts Kerberos
authentication for sites in the "Intranet" security zone.

Check my blog for a series of posts on IIS and Kerberos and what you need to
do to get this all working end-to-end.

Cheers
Ken


--
My IIS blog: http://adopenstatic.com/blog

[quoted text, click to view]
Re: Integrated Windows Authentication vx
3/22/2008 8:28:00 AM
Thanks you very much for your help!
a new question:

What is the authentication mechanism for sending the credentials
Re: Integrated Windows Authentication Ken Schaefer
3/22/2008 11:52:04 AM
What is your point?

You previous asked:

[quoted text, click to view]

The answer to this question is that registering an SPN does not make IE
use/attempt Kerberos AuthN. The browser must think that the website is in
the Intranet security zone to attempt Kerberos AuthN. Otherwise it uses NTLM
instead.

The KB article is talking about enabling IE auto-logon feature. Auto-logon
has nothing to do with NTLM -vs- Kerberos. Autologon can work with either of
these two authN mechanisms.

Cheers
Ken


[quoted text, click to view]
Re: Integrated Windows Authentication Ken Schaefer
3/23/2008 12:00:00 AM
[quoted text, click to view]

There is no single way of doing this. The HTTP specification permits the
server to send back supported authN mechanisms via the use of
WWW-Authenticate: headers (e.g.

WWW-Authenticate: Basic

(to show that the server supports Basic Authentication). The client would
send credentials back using an Authorization: header

But it's also possible to send credentials via a HTTP form (e.g. ASP.NET
forms based authentication or similar). In this case access is anonymous at
the HTTP layer, but authentication occurs within the application layer.
Alternatively you can use client certificates to authenticate users - in
this case authentication data is sent as part of the SSL/TLS handshake that
occurs even before HTTP headers are exchanged (i.e. below the HTTP layer).

So there are many ways to authenticate clients to the server. The KB article
is talking about HTTP-based authentication.

Cheers
Ken
Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages in the iis security group.
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
home · blog · groups Questions? Comments? Contact the dn