Wrox Programmer Forums
|
ASP.NET 1.1 As of 10/6/2005, this forum is locked as part of the reorganization described here: http://p2p.wrox.com/topic.asp?TOPIC_ID=35394. No posts have been deleted. Open ongoing discussions from the last week have been moved to either ASP.NET 1.0 and 1.1 Beginners http://p2p.wrox.com/asp-net-1-0-1-1-basics-60/ or ASP.NET 1.0 and 1.1 Professional. http://p2p.wrox.com/forum.asp?FORUM_ID=50. See my sticky post inside for more.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 1.1 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old April 27th, 2004, 12:32 PM
Authorized User
  
Join Date: Jun 2003
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default IIS Authentication
Hi Guys,
When i use windows authentication and i am outside of network i get promoted with userid and password dialog box. Does this userid and password travel in clear text over the wire using internet explorer?

Paul.
 
Old April 27th, 2004, 03:07 PM
Imar's Avatar
Wrox Author
  
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default
Well, almost. Apparently, you're using Basic Authentication. Passwords sent over basic authentication are Base64 encoded. This means they're not really sent in clear text, but it's easy for most people to decrypt the stuff you send.

If you want basic authentication to be safe, you'll need to enable SSL / TSL on your Web server.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: U.F.Orb by The Orb (Track 2 from the album: U.F.Orb) What's This?
 
Old April 27th, 2004, 03:13 PM
Authorized User
  
Join Date: Jun 2003
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Hi Imar,
Thanks for the reply. Actually the window for userid and password i am referring to is provided by default by internet browser. IIS is set up for Windows authentication and so is config file for ASP.NET (web.config). Basic authentication isnt used anywhere. So thats what i was wondering is if initially challange response fails between browser and IIS, i get prompted for a default windows login via browser. Is this information sent as plain text or does browser uses this information for creating some token for challange since initial challange response fails. Windows authentication states that userid and password are never sent in clear. so i was curious. Thanks

paul.
 
Old April 27th, 2004, 03:30 PM
Imar's Avatar
Wrox Author
  
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default
So are you using Forms authentication? I think in that case, the problem is even worse. The information *will* be sent in clear text (not sure if any encoding takes place). Anyone sniffing the network with some widely available tools can see your credentials fly by.

Or do you get a true dialog? If that is the case, you *are* using basic authentication. Windows authentication in Web.config refers to where and how IIS validates the user, not the way the user is asked for credentials. So, if IIS is setup for Windows *and* basic authentication, setting the security to Windows in the Web.Config, can still result in Basic Authentication used when your site is accessed with a browser that doesn't understand Windows / Integrated security or cannot use it (when you're accessing the site over the Internet, for example.

The docs say this about mode="windows":
Quote:
quote:Specifies Windows authentication as the default authentication mode. Use this mode when using any form of Microsoft Internet Information Services (IIS) authentication: Basic, Digest, Integrated Windows authentication (NTLM/Kerberos), or certificates.
I can't believe that you get a password prompt if IIS is not set up for basic authentication.....
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: I'm Hiding by KoRn (Track 13 from the album: Untouchables) What's This?
 
Old April 27th, 2004, 03:49 PM
Authorized User
  
Join Date: Jun 2003
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default
I think you clarified what i was after. Thanks for this feedback. :)
 
Old April 27th, 2004, 04:08 PM
Imar's Avatar
Wrox Author
  
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default
Great. You're welcome.

Out of curiosity, were you using Basic Authentication?

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Spanish Castles In Space by The Orb (Track 5 from the album: The Orb's Adventures Beyond The Ultraworld - Disc 1) What's This?
 
Old April 28th, 2004, 08:01 AM
Authorized User
  
Join Date: Jun 2003
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default
You got it imar..thanks again





Similar Threads
Thread Thread Starter Forum Replies Last Post
IIS user authentication in .NET 1 graeme.robb ASP.NET 1.x and 2.0 Application Design 1 June 19th, 2006 08:35 PM
IIS with Authentication causing issues.... tfrugia .NET Web Services 0 July 7th, 2005 11:52 AM
Form Authentication Help (IIS) [email protected] VS.NET 2002/2003 5 July 27th, 2004 02:35 PM
IIS config for authentication using AD MSUser General .NET 0 March 26th, 2004 04:18 AM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.