Options

ISS - Windows Integrated Authentication

cbriantcbriant Member Posts: 59 ■■□□□□□□□□
in Planning Network Infra 70-293
Hi,

I'm not clear on Windows Integrated Authentication. Does this require domain membership? Does it require client computers to be running Windows and would you enable it for a publically accessed website?

Chris.
· Share on FacebookShare on Twitter

Comments

  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I believe it will just use local accounts if it's not a member of a domain.

    It's "integrated" because if you use Windows and IE, it will use the credentials you're currently logged-on with to authenticate to the server. If those fail, or you're using another OS or another browser like Firefox, it will just prompt you for the credentials.

    You can get detailed information about it here: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
    · Share on FacebookShare on Twitter
  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Here's the tricky thing about using Integrated Authentication on Internet Sites. It won't work without allowing it on the client side (easy to allow). Why? I've run into this a ton of times with people having issues. It'll only work with a NetBIOS name because I.E. knows it's a trusted internal site. If you trust a website where you will be accessing it via a FQDN (I.E. considers it an Internet Site), you will need to add the site to the local intranet zone in I.E. for it to work.

    And yes, it should be fine enabling it on an internet site. Kerberos/NTLM are fairlysecure authentication protocols that donot allow for plain text authentication credentials to pass. When connecting from an internet site, you would most likely be using Kerberos because Kerberos requires you to contact a KDC so you would fallback to NTLM which uses hashing techniques to identify a correct/incorrect password; again all of which is encrypted.

    So yes, it's safe to use Integrated Authentication on internet facing sites.

    Also, a nice tidbit of information on Server 2008 clusters. They now all use the built-in localsystem account which can use Integrated Authentication/Kerberos which makes Server 2008 clusters easier to set up (no need to properly configure service accounts) and will use Kerberos over NTLM (more secure).
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
Sign In or Register to comment.