Post by Ran DavidovitzBecause I want the users to be able to enter the portal without
entering username / password - I mean I want them to pass
it in the query string.
Why do you need to pass it on the URL somehow? Is your portal implementing
some sort of custom authenication scheme that requires this?
Post by Ran DavidovitzAnd because Microsoft disabled that option to pass
credentials in the query I cannot accomplish this.
Correct, and this is by-design. Microsoft is obligated to close the security
vulnerability even if it breaks your application because only then do you
have the choice and responsibility of determining whether to re-opening the
security vulnerability, or choosing a secure alternative.
I guess I just do not understand why you need to pass user credentials over
the URL because using pure Basic + auto-authenticate should be sufficient to
SSO. The only way I see that failing is if you are relying on custom
authentication, and since you are not describing what is broken about it, I
cannot offer any more advice.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Ran Davidovitz" <***@verint.com> wrote in message news:%23Zc$%***@TK2MSFTNGP14.phx.gbl...
The basic authentication is not 100% solution
Because I want the users to be able to enter the portal without entering
username / password - I mean I want them to pass it in the query string.
And because Microsoft disabled that option to pass credentials in the query
I cannot accomplish this.
Post by Ran DavidovitzBrowse through some of my blog entries to understand more about what you are
trying to do and why things work the way they do.
http://blogs.msdn.com/david.wang/archive/2005/07/06/SSO_ISAPI_Considerations_2.aspx
Post by Ran DavidovitzBased on what you have said, I think the simplest solution is to have two
1. Intranet website uses Integrated authentication
2. Internet-facing website uses Basic+SSL
From home without VPN, Employees sign on using Basic over SSL and the
browser is instructed to "trust" and auto-authenticate to the
Internet-facing website. From work, Employees are already logged in and just
work.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
What we are trying to achieve is a single-sign on mecahnism.
Our customer has a broadvision portal on the internet and he would like his
employees
to be able to get to our server through the portal from home. (without VPN)
His employees log into the portal and through there they can get to many
applications
so it is a business requirement to implement SSO (single sign on).
our server is based on iis and which needs to get the credentials in one way
or the other
in order to validate the user and authenticate him.
Post by Ran DavidovitzThe customer used basic authentication, he cannot use integrated.
I don't want him to authenticate using a form.
I don't want the user to type his auth (I want to simulate "SSO") - The main
requirement is not to write credential again.
And the workaround is not clear enough (I have looked at it with some
developers).
Thank you for your response but it didnt help me yet :)
Post by David Wang [Msft]Can you clarify what is confusing you from KB834489
I don't know how your authentication is configured and why your customer is
passing username/password using the URL, so I cannot make a
recommendation
on how you can "support this issue (without updating the client side
registry)".
Why are the workarounds from the KB insufficient? Why can't your user just
type in username/password when prompted instead of having to type it into
the URL request itself?
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
Hi.
I have a customer that until today passed his username / password using the
URL (using basic authentication).
After reading KB 834489 I see that this behavior is not supported any more.
I dont understand what is the workarround described in KB 834489.
I want to know if there is another way that i can support this issue
(without updating the client side registry).
* what ever solution i will do I must support intergrated security also.