NT Authentication - 2nd challenge/response

Sorry, I posted this to the wrong group a few minutes ago. It belongs
here...


Hi,

I have an IIS ASP website that requires a user to be authenticated on our
domain to be let in. However, if a user is already authenticated on the
domain they are allowed straight into the ASP web without being challenged
for a password. I want them to be challenged for their NT username/password
regardless of whether they are logged into the domain on their machines
already. Can I do this with IIS/ASP webs? Any suggestions as to how?

Thanks,
PJ

Re: NT Authentication - 2nd challenge/response

You do this by configuring the browser to not auto-login.

There is no such thing as "if a user is already authenticated on the domain
they are allowed straight into the ASP web without being challenged for a
password". If you configure IIS to require authentication, by-definition IIS
will *always* challenge the remote client for their NT user credentials.

The question is whether the remote browser chooses to auto-login using the
user's domain-authenticated credentials when IIS challenges the remote
client for their NT user credentials. It is this auto-login that gives the
impression that an authenticated user is allowed straight into the ASP web
without being challenged for a password.

You can verify this behavior yourself by looking at the IIS web log file for
the request sequence and see that the user is *not* allowed straight into
the ASP website and actually gets a 401 challenges... but the browser
silently makes a couple more requests to attempt auto-login.

Thus, you need to configure the client browser to not auto-login and then
they will always be challenged for their user credentials when accessing
your website.

If you want further customized behavior, you can do so with your own
customized authentication protocol.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"P James" wrote in message
news:unYzKWVOGHA.3924@TK2MSFTNGP14.phx.gbl...
>
> Sorry, I posted this to the wrong group a few minutes ago. It belongs
> here...
>
>
> Hi,
>
> I have an IIS ASP website that requires a user to be authenticated on our
> domain to be let in. However, if a user is already authenticated on the
> domain they are allowed straight into the ASP web without being challenged
> for a password. I want them to be challenged for their NT
> username/password
> regardless of whether they are logged into the domain on their machines
> already. Can I do this with IIS/ASP webs? Any suggestions as to how?
>
> Thanks,
> PJ
>
>
>
>

Re: NT Authentication - 2nd challenge/response

P James wrote:
> Sorry, I posted this to the wrong group a few minutes ago. It belongs
> here...
>
>
> Hi,
>
> I have an IIS ASP website that requires a user to be authenticated on our
> domain to be let in. However, if a user is already authenticated on the
> domain they are allowed straight into the ASP web without being challenged
> for a password. I want them to be challenged for their NT username/password
> regardless of whether they are logged into the domain on their machines
> already. Can I do this with IIS/ASP webs? Any suggestions as to how?
>

Turn off Integrated Windows Authentication.