+ Reply to Thread
Results 1 to 3 of 3
  1. Member
    Join Date
    May 2007
    Posts
    59
    #1

    Default ISS - Windows Integrated Authentication

    Hi,

    I'm not clear on Windows Integrated Authentication. Does this require domain membership? Does it require client computers to be running Windows and would you enable it for a publically accessed website?

    Chris.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    I believe it will just use local accounts if it's not a member of a domain.

    It's "integrated" because if you use Windows and IE, it will use the credentials you're currently logged-on with to authenticate to the server. If those fail, or you're using another OS or another browser like Firefox, it will just prompt you for the credentials.

    You can get detailed information about it here: http://www.microsoft.com/technet/pro....mspx?mfr=true
    Reply With Quote Quote  

  4. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #3
    Here's the tricky thing about using Integrated Authentication on Internet Sites. It won't work without allowing it on the client side (easy to allow). Why? I've run into this a ton of times with people having issues. It'll only work with a NetBIOS name because I.E. knows it's a trusted internal site. If you trust a website where you will be accessing it via a FQDN (I.E. considers it an Internet Site), you will need to add the site to the local intranet zone in I.E. for it to work.

    And yes, it should be fine enabling it on an internet site. Kerberos/NTLM are fairlysecure authentication protocols that donot allow for plain text authentication credentials to pass. When connecting from an internet site, you would most likely be using Kerberos because Kerberos requires you to contact a KDC so you would fallback to NTLM which uses hashing techniques to identify a correct/incorrect password; again all of which is encrypted.

    So yes, it's safe to use Integrated Authentication on internet facing sites.

    Also, a nice tidbit of information on Server 2008 clusters. They now all use the built-in localsystem account which can use Integrated Authentication/Kerberos which makes Server 2008 clusters easier to set up (no need to properly configure service accounts) and will use Kerberos over NTLM (more secure).
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks