Solved

Integrated Windows Authentication Prompt Wth No Username/Pwd Entered

Posted on 2003-12-08
22
2,498 Views
Last Modified: 2013-12-04
I am running an intranet site with ASP.net in IIS.  I want the user to be prompted for a username/pwd, so I turned on Integrated Windows Authentication and turned off Anonymous access.  I also checked the option in IE for the user to be Prompted for login under Internet Options->Security->Custom Level.  Everything is fine, and the user is authenticated when the username/pwd entered matches an account in the Active Directory, except when the user enters nothing into the prompt.  What I can see is IE is sending the logon credentials from the local machine for authentication, but I don't want that.  I can see this from this line of code:
  Response.Write(Request.ServerVariables["LOGON_USER"]);
when it returns the username of the local, logon-ed user and I've tried it on several machinese and users.  I've also tried playing with Web.config:
  <identity impersonate="false" />
but that doesn't seem to be helping at all.

Could anyone please tell me how to set it to not send the credentials automatically?

Thanks!
0
Comment
Question by:nemakcanada
  • 9
  • 6
  • 5
  • +1
22 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9918959
what you want is to allow only server-side authorized users can access the .asp or htm files on iis server? if so, why dont you just change some IIS folder's NTFS permissions to allow specific users/groups visit your pages at server side? hope it helps, bbao
0
 

Author Comment

by:nemakcanada
ID: 9919664
Thanks bbao,
We have that setup too =) See, the problem with doing that is that we work in an industrial environment that includes shift work etc. As such, several of our PCs are shared, and as much as we try to enforce it, users don't always logoff when they leave their machine and the next person just continues to use the machine without changing the current logged on user.
So suppose this new person (user2) goes into one of our Intranet apps, and is in the same AD group as the previous user (user1), hence has the same application access. Also suppose our applications have user specific data such as a payroll application. Now, if this new user (user2) were to just click the OK button on the NTLM authentication prompt without entering credentials, they will be allowed into the app under the logged on windows user (user1) which is NOT what should be happening. User2 would then be able to see user1's data etc which is our problem. We need each app to prompt for credentials and only allow the user in after they have provided proper authentication, not take the current logged on user. Thanks for the reply bbao.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9919759
if so, it looks you guys need management, not technologies, hehe. :)) just kidding.

well, i think you may try enable NTFS file-level access permissions at web server side, then choose "prompt for username and password" for user authentication at client side and deploy proper workstation policies that prevents users change IE's settings freely.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9921463
@nemakcanada:

> Could anyone please tell me how to set it to not send the credentials automatically?

How are people accessing this web site?  What is the URL they are using?

I think that it will only send the credentials automatically if the site is in the "Intranet" zone, and it will assume any address without a "." to be in the Intranet zone.  So, if they are using:
   http:\\IntranetServer\

Then it will automatically send them, but if they are using
   http:\\intranet.yourcompany.com\

Then it won't.  Either way, I believe the settings for automatically sending that information is in the Zone settings.  If the defaults are set to send them, then you can just tweak those settings.

Hope That Helps,
Dex*
0
 

Author Comment

by:nemakcanada
ID: 9921464
No kidding about the management =)

Anyway, thanks for replying so quick. We've had our Intranet setup as you suggested since last march and have never noticed the problem until this week (not because something new happened, we just never tested the scenario, I did it accidentally). Basically, if the user puts in the wrong credentials, it won't authenticate. If the user's put in their credentials, and the user is in the group we've got setup on the folder, it lets them in. If the user supplies no credentials, and just presses the OK button, IE returns the current logged on user, and if that user is in the group it will log them in. Can anyone duplicate this? I'm thinking the issue is on the IE side, but I'm not sure.
We've written apps in both ASP.net and PHP and have verified it to be a problem with both, so we know it's not specific to one or the other.
0
 

Author Comment

by:nemakcanada
ID: 9921496
Thanks dex...
user's are accessing via http:\\intranet.yourcompany.com and we've got the zone settings in IE for both Intranet and Internet set to "Prompt for Username and Password". It prompts properly, but it takes the current logged on Windows user (win2k by the way, not tested on 9x) if the user doesn't enter any credentials and just hits the OK button.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9921559
@nemakcanada:  What happens when you set it to "Anonymous Login" ?

Dex*
0
 

Author Comment

by:nemakcanada
ID: 9921963
If the Everyone group, IUSR, or I beleive ASP.NET user is set to read on the user is allowed in and not prompted at all.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9921972
No, no, I mean, when you set the client's Internet Security settings from "Prompt for user name and password" to "Anonymous Login".

D*
0
 

Author Comment

by:nemakcanada
ID: 9922078
Sorry about that. If I set it to Annonymous on the client, I get a HTTP 401.2 response, Access denied.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9922178
since the server side has disabled the guest account and your pages has NTFS level access control?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:nemakcanada
ID: 9922200
That's right. For these particular pages, anoymous access should NOT be allowed, so that's functioning properly too. Not sure what kinda of environment you guys work with, but can you duplicate this problem at all?
0
 
LVL 19

Accepted Solution

by:
Dexstar earned 250 total points
ID: 9922238
Yeah, I get the exact same behavior.  I'm guessing that it isn't a big deal for them to be sending that information.  I can't imagine that MS would force it out on the network if it was a security risk.

Maybe it knows you're on the same network, somehow?  This is really strange.

Dex*
0
 

Author Comment

by:nemakcanada
ID: 9922255
Well, at least you can duplicate. Fricken M$ ... hmm.... they got me stumped on this on. Dex, what version of IIS/IE are you using? We have IIS 5, latest service packs and IISlockdown on the server, and IE 6 SP1 on the client. I'm wondering if this is something specific to IE/IIS versions or what....
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9922263
Well, that very well could be the case because I'm using the exact same versions...

D*
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 250 total points
ID: 9922514
me2
0
 
LVL 6

Expert Comment

by:DominicCronin
ID: 9934243
Just a thought, but I think if IE is doing the automatic logon thing, it will happily carry on as long as it is successful, but if it gets an AUTH back from the server, it will prompt for credentials. Maybe if you rig things so that at certain intervals you force this to happen (even though the "logged-in" credentials are good, you can fool the browser into doing what you want.

Failing that, you could go for the classic single-sign-on approach of having a login page that sets an authentication cookie. That way you just avoid using the logged-in credentials at all, and you have complete control over the timeouts.
0
 

Author Comment

by:nemakcanada
ID: 9934260
Well, from an end-user standpoint, how friendly is a system that prompts you for a password every 5 minutes =)
I've tried changing my authentication scheme to use basic authentication with and HTTPS connection, and it works properly. I can't just press "OK" an get in when I do this. The only problem is that user's now have to remember to enter their userid in the following format:

domain\userid

... otherwise authentication fails. Does anyone know a way around this? Is there something in IIS such that I can automatically pre-pend the proper domain name if the user doesn't enter it? The problem with that is suppose someone from our parent domain tries to authenticate, it will prepend our subdomain to the from of their userid automatically... will AD still authenticate them? Probably not, but I could be wrong.
0
 

Author Comment

by:nemakcanada
ID: 9934544
ok, scratch that last post. I found the place to specify the default domain. Looks like going with SSL and basic auth is going to be my solution. I'm going to leave this post open for another week or so in case someone comes up with a better idea. Otherwise I'll distribute points appropriately for your efforts. Thanks all.
0
 
LVL 19

Expert Comment

by:Dexstar
ID: 9934654
If you have AD, then can use username@domain, and it should work as well...

Dex*
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9934691
i believe the following two article would be helpful to your final decision on security model:

IIS5 RK: Chapter 6 - Developing Web Applications
www.microsoft.com/technet/prodtechnol/ iis/iis5/reskit/iis50rg/iischp6.asp

IIS5 RK: Chapter 9 - Security
www.microsoft.com/technet/prodtechnol/iis/iis5/reskit/iis50rg/iischp9.asp

cheers,
bbao
0
 
LVL 6

Expert Comment

by:DominicCronin
ID: 9935085
The usual timeout on SSO systems is more like an hour. It's a compromise, of course.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
OfficeMate Freezes on login or does not load after login credentials are input.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now