How to make integrated auth fallback to Basic

I've just enabled Integrated Auth on my intranet site so that LAN users
wont be prompted for a logon. That much works. However it requires
users outside the LAN provide their username in the form
\username. I also have Basic Auth selected on the same web
site, the thought being that Basic Auth would take over when Integrated
Auth failed, allowing the users to enter username\pwd as they have in
the past (without the domain reference). Basic doesn't seem to be
kicking in though, as the users are required to specify the domain.

I also notice that admin can logon without specifying the domain,
probably because authentication is successful against the local SAM in
the web server.

Any thoughts?

Thanks
Mark

Re: How to make integrated auth fallback to Basic

Hi Mark,

When you enable Basic Authentication "Default domain:" window becomes
enabled on same page on the bottom. Did you try and enter name of the
domain?

On another note. Just wanted to make sure you are using SSL if you enabled
Basic auth. or username and passwords will be sent to the server in clear
text.

--
Mike
Microsoft MVP - Windows Security

"Mark" wrote in message
news:1139343424.150239.143380@g14g2000cwa.googlegroups.com.. .
> I've just enabled Integrated Auth on my intranet site so that LAN users
> wont be prompted for a logon. That much works. However it requires
> users outside the LAN provide their username in the form
> \username. I also have Basic Auth selected on the same web
> site, the thought being that Basic Auth would take over when Integrated
> Auth failed, allowing the users to enter username\pwd as they have in
> the past (without the domain reference). Basic doesn't seem to be
> kicking in though, as the users are required to specify the domain.
>
> I also notice that admin can logon without specifying the domain,
> probably because authentication is successful against the local SAM in
> the web server.
>
> Any thoughts?
>
> Thanks
> Mark
>

Re: How to make integrated auth fallback to Basic

Hi,

There is no "fall back option". The webserver presents a list of supported
authentication mechanisms to the client, and the client selects the first
one that it supports. It does not "fall back" to another mechanism if the
first one fails.

If you want the clients to use Basic 100% of the time, you will need to
deselect IWA.

Cheers
Ken


"Mark" wrote in message
news:1139343424.150239.143380@g14g2000cwa.googlegroups.com.. .
: I've just enabled Integrated Auth on my intranet site so that LAN users
: wont be prompted for a logon. That much works. However it requires
: users outside the LAN provide their username in the form
: \username. I also have Basic Auth selected on the same web
: site, the thought being that Basic Auth would take over when Integrated
: Auth failed, allowing the users to enter username\pwd as they have in
: the past (without the domain reference). Basic doesn't seem to be
: kicking in though, as the users are required to specify the domain.
:
: I also notice that admin can logon without specifying the domain,
: probably because authentication is successful against the local SAM in
: the web server.
:
: Any thoughts?
:
: Thanks
: Mark
:

Re: How to make integrated auth fallback to Basic

Ok - makes sense. So if I want to disable Basic and use IWA
exclusively, is there anyway to specify a default domain? I only have
one domain which the web server is a member of. You'd think IWA would
authenticate non-domain clients against it automatically.

Re: How to make integrated auth fallback to Basic

"Mark" wrote in message
news:1139518417.294186.230940@o13g2000cwo.googlegroups.com.. .
: Ok - makes sense. So if I want to disable Basic and use IWA
: exclusively, is there anyway to specify a default domain?

No - IWA includes two secure authN mechanisms: NTLM and Kerberos. Neither of
which support a "default domain" as such

: I only have
: one domain which the web server is a member of. You'd think IWA would
: authenticate non-domain clients against it automatically.

No - that would reduce the security of the procotol by making assumptions
that might not be valid.

In any case, IIS is receiving a "hash" from the client as part of the user's
credentials (assuming NTLM) -or- a Service Ticket (assuming Kerberos). To
get a service ticket from a KDC requires the user to enter their entire
credentials (this is requirement of Kerberos). When using NTLM, IIS just
receiving the "hash". It can't just "insert" the "default domain" into this
hash. To generate the hash requires all the relevent bits of information to
generate the correct result. The hash is hander over to a security provider
for verification. IIS never sees the "domain" part - all it gets back is a
"yes, user is valid" or "no, user is not valid"

Cheers
Ken

Re: How to make integrated auth fallback to Basic

Thanks for the info Ken. I think it's worth educating users to enter
domain\username to preempt the logons while they're in the office.
It's probably more secure from outside like this as well.

Re: How to make integrated auth fallback to Basic

Why should an authentication protocol assume that?

Domain of relevance is as much a necessary qualifier on identity as the
username itself.

Besides, membership of server in a "domain" says nothing about transitivity.
For example:

What happens if you have two domains, A and B, and username C exists in both
domains A & B (imagine a company merger and username is something common
like David). If someone tries to log in as "David" to a webserver that is in
domain A, you're saying it should assume "domain A's David" when it could
well be "domain B's David" that is trying to login. How in the world can the
webserver figure this out? And if you want the code to try "domain B's
David" on failure to login as "domain A's David", then attackers can use
that to DoS your machine. Security has a knack to be hard like that.

There is no such thing as a "default domain" when it comes to Integrated
Windows Authentication because the protocol is secured against that. Since
Basic authentication passes username/password to the server in clear text
and the server calls LogonUser() Win32 API to login the user, that API
allows you to insert a "domain" -- hence Basic Authentication has this
"feature".

Integrated Windows Authentication, on the other hand, does NOT pass
username/password to the server in any form - just a bunch of hashes and
binary blobs pass back and forth and IIS just gets a NT User token at the
end if successful -- so there is no way to insert a "default domain". It
wouldn't make security sense, either - because ability to alter the "default
domain" of a user principle means that you are able to alter the domain of
relevance of the identity, and that is a security no-no.

Now, if the problem is that users cannot seem to remember a domain name,
then try configuring Windows to use UPN in which case it is
username@domain.com and password -- and if you configure email
correspondingly, users only remember "my email address" and "my password"
without even thinking about the domain.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Mark" wrote in message
news:1139518417.294186.230940@o13g2000cwo.googlegroups.com.. .
> Ok - makes sense. So if I want to disable Basic and use IWA
> exclusively, is there anyway to specify a default domain? I only have
> one domain which the web server is a member of. You'd think IWA would
> authenticate non-domain clients against it automatically.
>