[thelist] authenticating with mozilla/opera/w3 validator

Paul Cowan evolt at funkwit.com
Thu Nov 21 22:06:00 CST 2002


Chris W. Parker wrote:
> as far as the SSL thing goes, are suggesting that the site be hosted
> from https:// and the authentication turned down to basic?

Well, yep. If it's important that it runs in other browsers, that is.

Basically, your options are:
    - just use IE, and stick with NTLM auth
    - switch to https:// (you can make IIS _require_ secure
      access for the site) and change to basic auth
    - change to basic auth, and leave passwords sent in plain
      text. This would be a bad thing.
    - use client certificates instead (insert vomiting noise
      here)
    - turn off the need to auth at all
    - that's about it really

I'd suggest that the first two are probably the most likely candidates.
3 is an option if you're sure that the passwords can't be sniffed, or
if you don't much care if they are. If the machine is publically
accessible and you choose #3, come over here so I can slap you upside
the head.

> thanks for the information, i don't think i would have thought of it
> being the server's problem.

IIS is a riddle, wrapped in a mystery, wrapped in an enigma, wrapped
in a confusing admin interface. You learn something new about it every
day.

Of course, this could just as easily happen with any other web server
that serves up an auth method that IE, say, doesn't understand (if
there are any). It's just that NTLM is the default, which trips people
up.

Paul




More information about the thelist mailing list