IIS7 Basic Authentication question

IIS7 Basic Authentication question

am 17.11.2007 01:23:01 von SushiSean

Hello, I have question about how this Basic Authentication works with IIS7.
SO in general it works like this (correct me if I am wrong)

Browser send in http header row with Authorization - something like this
.....
Authorization: Basic MTIzNDU2Nzg5MDpIc1lYRm9aZkhBcXlMY0NSWWVIOHFR
.....

This is "MTIzNDU2Nzg5MDpIc1lYRm9aZkhBcXlMY0NSWWVIOHFR" encripted in base64
login and password and if in IIS7 "Basic Authentication " turned on check
this login and password.

So my question is:
1) If have login "login123" and password "pass123" and it was encrypted and
sent to IIS7 where I should specify list of login/passwords which IIS7 should
pass? It is some config file.
2) In setting of Basic Authentication "Default Domain" and "Realm". I dont
understand the logic of it. Can somebody give me an example of using those
field?

Thanks a lot.

Re: IIS7 Basic Authentication question

am 17.11.2007 11:12:15 von David Wang

On Nov 16, 4:23 pm, SushiSean
wrote:
> Hello, I have question about how this Basic Authentication works with IIS7.
> SO in general it works like this (correct me if I am wrong)
>
> Browser send in http header row with Authorization - something like this
> ....
> Authorization: Basic MTIzNDU2Nzg5MDpIc1lYRm9aZkhBcXlMY0NSWWVIOHFR
> ....
>
> This is "MTIzNDU2Nzg5MDpIc1lYRm9aZkhBcXlMY0NSWWVIOHFR" encripted in base64
> login and password and if in IIS7 "Basic Authentication " turned on check
> this login and password.
>
> So my question is:
> 1) If have login "login123" and password "pass123" and it was encrypted and
> sent to IIS7 where I should specify list of login/passwords which IIS7 should
> pass? It is some config file.
> 2) In setting of Basic Authentication "Default Domain" and "Realm". I dont
> understand the logic of it. Can somebody give me an example of using those
> field?
>
> Thanks a lot.


IIS7 authentication is integrated with Windows. It will use the Win32
LogonUser() API to authenticate the username/password and if
successful, obtain a NT User Token to execute the remainder of the
request.

1. In other words, you add Windows users and they can be authenticated
via Basic authentication.

IIS7's Authentications Protocols are all tied to Windows SAM or Active
Directory for username/password verification. If you want the userlist
to be stored in your proprietary file, then you'll have to either re-
implement the protocol support yourself or implement an extensibility
module. It is easy to do this with IIS7.

2. Realms and domains are simply additional name modifiers that you
may/not choose to use. You can treat them like City/State identifier
for your name/address.

For example, I can always login as David, but if I'm in an
organization that has multiple people named David, either our
usernames have to become distinguishing, our our account domain/realm
need to be different. i.e you have to reference me as either "David
Wang" or "David of Washington State". Clearly, a user's identification
string has to be unambiguous within an organization of people or else
mistaken identity is a problem. This is why there are concepts like
"Realm" or "Domain" because sometimes first/last name is not enough
(for example, I know of at least a dozen other people of my same name,
so I am very aware of how non-unique a name can be)

Now, Basic Authentication's notion of Realm and Domain are very weak
and insecure -- they allow the server to attack the security protocol
and modify it. More secure protocols like Windows Authentication or
Kerberos Authentication require end-users to specify their username
and domain/realm, thus ensuring the identity's fidelity.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//