Fog Creek Software
Discussion Board




Browser authentication in Windows


I was talking with a colleague about authentication under Windows, and a question came up that neither of us knew the answer to.

In an intranet environment that requires authentication, when a client browses to a webpage and is authenticated, how is the request performed? Is it:

1. Does the web server make a request to the DC to authenticate the user?
or

2. Does the web server tell the client "Hey, you need to authenticate first from the DC. Once you've authenticated, I'll process your request."

Because I wanna know
Thursday, August 12, 2004

Well, if you're using a real webserver (read, not IIS), you'd probably code something up with mod_perl and LDAP.  But I'm guessing that you probably want to use FisherPrice (Microsoft) stuff.

:)

muppet
Thursday, August 12, 2004


We're using IIS with Windows Server 2000.

Because I wanna know
Thursday, August 12, 2004

Oh.

Well I'm pretty sure that IIS handles authentication/authorization by flipping a coin or something.

muppet
Thursday, August 12, 2004

See here...

http://support.microsoft.com/default.aspx?scid=KB;en-us;142868&sd=tech

Essentially its IIS that manages the authentication request masquerading as the user.  The only real difference the browser makes is if it understands NTLM protocol to encrypt the userid and password.

Simon Lucy
Thursday, August 12, 2004

Since you mention DC, I'll assume you are using Integrated Windows authentication.
Google on Kerberos V5.

Just me (Sir to you)
Thursday, August 12, 2004


Hey muppet, is this an example of some of your helpful, insightful post?

Because otherwise, I might be led to believe what other people say about you. Namely, that you are just a fucking troll who clogs up threads with useless and argumentative posts.

What A tool
Thursday, August 12, 2004

WAT -

You mean, sort of like yours?

muppet
Thursday, August 12, 2004

1) The browser requests the page with no credentials.
2) The web server responds with a 401 forbidden and tells the browser it needs credentials.
3) The browser pops up a username/password dialog* and sends the resulting credentials to the web server
4) The web server talks to the KDC to check the credentials and then serves up the page.

* IE will forgoe the dialog box to any IIS server in your "Intranet" and "Trusted Sites" zone and just automatically send your current credentials if the server is configured to use Windows Authentication, which hashes the password.

Recent versions of Mozilla and FireFox (1.5+ and 0.8+) can do Windows Authentication password hashing, but they still pop up a dialog.  You can tell them to remember the password though.

This is the typical behavior if you haven't implemented some sort of single sign-on.

Richard P
Thursday, August 12, 2004


Thanks for the info, everyone. (Well, everyone but Muppet.)

Because I wanna know
Thursday, August 12, 2004

You gotta admit the flipping the coin thing was kinda funny though.

pooheads need love too
Thursday, August 12, 2004

*  Recent Topics

*  Fog Creek Home