[thelist] Pass Through authentication
Ken Schaefer
Ken at adOpenStatic.com
Thu Oct 13 01:02:45 CDT 2005
> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
> bounces at lists.evolt.org] On Behalf Of Canfield, Joel
> Sent: Thursday, 13 October 2005 4:25 AM
> To: thelist at lists.evolt.org
> Subject: RE: [thelist] Pass Through authentication
>
> > SQL 2000, IIS Web Server running asp/javascript/html application.
> > Goal: Have the user hit the Intranet web site and with their existing
> > credential in MS Active Directory be able to access the SQL data.
> >
> > Looking for different ideas as how to best handle this.
>
> In order to pass authentication from one network resource to another,
> you have to use basic authentication on your web pages.
Not true. You can use Kerberos & delegation, and that's the recommended way
because Kerberos is a nice, secure authentication protocol, and Basic isn't.
> (Your machine
> doesn't pass 'real' authentication info to other resources on the
> network, it merely passes the fact that you *are* authenticated, and the
> other resource trusts your machine.
When you are using Basic Auth, then IIS server has the user's credentials in
clear text, and effectively acts as the end user.
In other cases, these other machines don't "trust your machine" whatsoever.
If you are in a workgroup, then you directly pass authentication credentials
to the remote machine.
If you are in a domain, and connecting to another machine in the domain, you
will have a token issued to you by the domain controller which the remote
resource will check for your credentials.
Cheers
Ken
More information about the thelist
mailing list