• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2520
  • Last Modified:

Integrated Windows Authentication Prompt Wth No Username/Pwd Entered

I am running an intranet site with ASP.net in IIS.  I want the user to be prompted for a username/pwd, so I turned on Integrated Windows Authentication and turned off Anonymous access.  I also checked the option in IE for the user to be Prompted for login under Internet Options->Security->Custom Level.  Everything is fine, and the user is authenticated when the username/pwd entered matches an account in the Active Directory, except when the user enters nothing into the prompt.  What I can see is IE is sending the logon credentials from the local machine for authentication, but I don't want that.  I can see this from this line of code:
  Response.Write(Request.ServerVariables["LOGON_USER"]);
when it returns the username of the local, logon-ed user and I've tried it on several machinese and users.  I've also tried playing with Web.config:
  <identity impersonate="false" />
but that doesn't seem to be helping at all.

Could anyone please tell me how to set it to not send the credentials automatically?

Thanks!
0
nemakcanada
Asked:
nemakcanada
  • 9
  • 6
  • 5
  • +1
2 Solutions
 
bbaoIT ConsultantCommented:
what you want is to allow only server-side authorized users can access the .asp or htm files on iis server? if so, why dont you just change some IIS folder's NTFS permissions to allow specific users/groups visit your pages at server side? hope it helps, bbao
0
 
nemakcanadaAuthor Commented:
Thanks bbao,
We have that setup too =) See, the problem with doing that is that we work in an industrial environment that includes shift work etc. As such, several of our PCs are shared, and as much as we try to enforce it, users don't always logoff when they leave their machine and the next person just continues to use the machine without changing the current logged on user.
So suppose this new person (user2) goes into one of our Intranet apps, and is in the same AD group as the previous user (user1), hence has the same application access. Also suppose our applications have user specific data such as a payroll application. Now, if this new user (user2) were to just click the OK button on the NTLM authentication prompt without entering credentials, they will be allowed into the app under the logged on windows user (user1) which is NOT what should be happening. User2 would then be able to see user1's data etc which is our problem. We need each app to prompt for credentials and only allow the user in after they have provided proper authentication, not take the current logged on user. Thanks for the reply bbao.
0
 
bbaoIT ConsultantCommented:
if so, it looks you guys need management, not technologies, hehe. :)) just kidding.

well, i think you may try enable NTFS file-level access permissions at web server side, then choose "prompt for username and password" for user authentication at client side and deploy proper workstation policies that prevents users change IE's settings freely.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
DexstarCommented:
@nemakcanada:

> Could anyone please tell me how to set it to not send the credentials automatically?

How are people accessing this web site?  What is the URL they are using?

I think that it will only send the credentials automatically if the site is in the "Intranet" zone, and it will assume any address without a "." to be in the Intranet zone.  So, if they are using:
   http:\\IntranetServer\

Then it will automatically send them, but if they are using
   http:\\intranet.yourcompany.com\

Then it won't.  Either way, I believe the settings for automatically sending that information is in the Zone settings.  If the defaults are set to send them, then you can just tweak those settings.

Hope That Helps,
Dex*
0
 
nemakcanadaAuthor Commented:
No kidding about the management =)

Anyway, thanks for replying so quick. We've had our Intranet setup as you suggested since last march and have never noticed the problem until this week (not because something new happened, we just never tested the scenario, I did it accidentally). Basically, if the user puts in the wrong credentials, it won't authenticate. If the user's put in their credentials, and the user is in the group we've got setup on the folder, it lets them in. If the user supplies no credentials, and just presses the OK button, IE returns the current logged on user, and if that user is in the group it will log them in. Can anyone duplicate this? I'm thinking the issue is on the IE side, but I'm not sure.
We've written apps in both ASP.net and PHP and have verified it to be a problem with both, so we know it's not specific to one or the other.
0
 
nemakcanadaAuthor Commented:
Thanks dex...
user's are accessing via http:\\intranet.yourcompany.com and we've got the zone settings in IE for both Intranet and Internet set to "Prompt for Username and Password". It prompts properly, but it takes the current logged on Windows user (win2k by the way, not tested on 9x) if the user doesn't enter any credentials and just hits the OK button.
0
 
DexstarCommented:
@nemakcanada:  What happens when you set it to "Anonymous Login" ?

Dex*
0
 
nemakcanadaAuthor Commented:
If the Everyone group, IUSR, or I beleive ASP.NET user is set to read on the user is allowed in and not prompted at all.
0
 
DexstarCommented:
No, no, I mean, when you set the client's Internet Security settings from "Prompt for user name and password" to "Anonymous Login".

D*
0
 
nemakcanadaAuthor Commented:
Sorry about that. If I set it to Annonymous on the client, I get a HTTP 401.2 response, Access denied.
0
 
bbaoIT ConsultantCommented:
since the server side has disabled the guest account and your pages has NTFS level access control?
0
 
nemakcanadaAuthor Commented:
That's right. For these particular pages, anoymous access should NOT be allowed, so that's functioning properly too. Not sure what kinda of environment you guys work with, but can you duplicate this problem at all?
0
 
DexstarCommented:
Yeah, I get the exact same behavior.  I'm guessing that it isn't a big deal for them to be sending that information.  I can't imagine that MS would force it out on the network if it was a security risk.

Maybe it knows you're on the same network, somehow?  This is really strange.

Dex*
0
 
nemakcanadaAuthor Commented:
Well, at least you can duplicate. Fricken M$ ... hmm.... they got me stumped on this on. Dex, what version of IIS/IE are you using? We have IIS 5, latest service packs and IISlockdown on the server, and IE 6 SP1 on the client. I'm wondering if this is something specific to IE/IIS versions or what....
0
 
DexstarCommented:
Well, that very well could be the case because I'm using the exact same versions...

D*
0
 
bbaoIT ConsultantCommented:
me2
0
 
DominicCroninCommented:
Just a thought, but I think if IE is doing the automatic logon thing, it will happily carry on as long as it is successful, but if it gets an AUTH back from the server, it will prompt for credentials. Maybe if you rig things so that at certain intervals you force this to happen (even though the "logged-in" credentials are good, you can fool the browser into doing what you want.

Failing that, you could go for the classic single-sign-on approach of having a login page that sets an authentication cookie. That way you just avoid using the logged-in credentials at all, and you have complete control over the timeouts.
0
 
nemakcanadaAuthor Commented:
Well, from an end-user standpoint, how friendly is a system that prompts you for a password every 5 minutes =)
I've tried changing my authentication scheme to use basic authentication with and HTTPS connection, and it works properly. I can't just press "OK" an get in when I do this. The only problem is that user's now have to remember to enter their userid in the following format:

domain\userid

... otherwise authentication fails. Does anyone know a way around this? Is there something in IIS such that I can automatically pre-pend the proper domain name if the user doesn't enter it? The problem with that is suppose someone from our parent domain tries to authenticate, it will prepend our subdomain to the from of their userid automatically... will AD still authenticate them? Probably not, but I could be wrong.
0
 
nemakcanadaAuthor Commented:
ok, scratch that last post. I found the place to specify the default domain. Looks like going with SSL and basic auth is going to be my solution. I'm going to leave this post open for another week or so in case someone comes up with a better idea. Otherwise I'll distribute points appropriately for your efforts. Thanks all.
0
 
DexstarCommented:
If you have AD, then can use username@domain, and it should work as well...

Dex*
0
 
bbaoIT ConsultantCommented:
i believe the following two article would be helpful to your final decision on security model:

IIS5 RK: Chapter 6 - Developing Web Applications
www.microsoft.com/technet/prodtechnol/ iis/iis5/reskit/iis50rg/iischp6.asp

IIS5 RK: Chapter 9 - Security
www.microsoft.com/technet/prodtechnol/iis/iis5/reskit/iis50rg/iischp9.asp

cheers,
bbao
0
 
DominicCroninCommented:
The usual timeout on SSO systems is more like an hour. It's a compromise, of course.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 9
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now