AUTENTICACION INTEGRADA EN SITIO WEB

12/08/2003 - 14:11 por Maribel | Informe spam
HOLA !!
EN MI SITIO WEB CONTROLO EL ACCESO MEDIANTE LA AUTENTICACION INTEGRADA DE
WINDOWS.
ESTE IIS ESTA UBICADO EN EL SERVIDOR QUE ES CONTROLADOR DE DOMINIO.
ESTE SERVIDOR AL QUE ME REFIERO TIENE INSTALADO EL SMALL BUSINESS SERVER.

ES NORMAL QUE CADA VEZ QUE ACCEDEMOS A DICHO SITIO WEB DESDE LA INTRANET,
TENGAMOS QUE INDICAR EL NOMBRE DE USUARIO Y CONTRASEÑA ?? YO TENÍA ENTENDIDO
QUE ÉSTA AUTENTICACIÓN HACÍA USO DEL NOMBRE Y CONTRASEÑA INTRODUCIDOS AL
INCORPORARNOS AL DOMINIO Y POR TANTO NO ES NECESARIO INDICARLA UNA Y OTRA
VEZ.
ALGUNA AYUDA ??
SALUDOS.
 

Leer las respuestas

#1 Iván González Vilaboa
13/08/2003 - 16:29 | Informe spam
Hola Maribel,

usando autenticación integrada el navegador muestra el cuadro de diálogo
solicitando nombre de usuario y contraseña cuando es incapaz de obtener las
credenciales de otro modo.

a ver si esto te ayuda en algo a encontrar lo que falla:

Integrated Windows Authentication

Integrated Windows authentication (formerly called NTLM, and also referred
to as Windows NT Challenge/Response authentication) is a secure form of
authentication because the user name and password are hashed before being
sent across the network. When you enable Integrated Windows authentication,
the user's browser proves its knowledge of the password through a
cryptographic exchange with your Web server, involving hashing. Integrated
Windows authentication is the default authentication method used in members
of the Windows Server 2003 family.

Integrated Windows authentication uses Kerberos v5 authentication and NTLM
authentication. If Active Directory Services is installed on a Windows 2000
or later domain controller and the user's browser supports the Kerberos v5
authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM
authentication is used.

Integrated Windows authentication includes the Negotiate, Kerberos, and NTLM
authentication methods. Negotiate, a wrapper for Kerberos and NTLM, is a
good choice for connecting to clients on the Internet because each lacks a
capability, as follows:

NTLM can get past a firewall, but is generally stopped by proxies.
Kerberos can get past a proxy, but is generally stopped by firewalls.
For Kerberos v5 authentication to be successful, both the client and the
server must have a trusted connection to a Key Distribution Center (KDC) and
be Active Directory Services compatible.

Client Authentication Process
The following steps outline how a client is authenticated using Integrated
Windows authentication:

Unlike Basic authentication, Integrated Windows authentication does not
initially prompt for a user name and password. The current Windows user
information on the client computer is used for Integrated Windows
authentication.
Note Microsoft Internet Explorer versions 4.0 and later can be configured
to initially prompt for user information if needed. For more information,
see Internet Explorer Help.

If the authentication exchange initially fails to identify the user, the
browser prompts the user for a Windows account user name and password, which
it processes using Integrated Windows authentication.
Internet Explorer continues to prompt the user until the user either enters
a valid user name and password or closes the prompt dialog box.
Although Integrated Windows authentication is secure, it does have two
limitations:

Only Microsoft Internet Explorer versions 2.0 and later support this
authentication method.
It does not work over HTTP proxy connections.
Therefore, Integrated Windows authentication is best suited for an intranet
environment, where both user and Web server computers are in the same domain
and where administrators can ensure that every user has Internet Explorer
version 2.0 or later.If Integrated Windows authentication fails due to
improper user credentials or some other problem, the browser prompts the
user to enter a user name and password.

Integrated Windows authentication uses Kerberos. Before the Kerberos
authentication service can authenticate a service, the service must be
registered on only one account object. If the logon account of a service
instance changes, the service must be reregistered under the new account.
Therefore, only one application pool that has the service registered can
authenticate with Kerberos. As a result of this, you cannot isolate sites
from each other on the virtual directory level in an application pool. There
is a work around, however. The customer can isolate these sites based on
domain name. For example, CompanynameHR.com and CompanynameSales.com.

Configuring Integrated Windows Authentication
Important You must be a member of the Administrators group on the local
computer to perform the following procedure (or procedures), or you must
have been delegated the appropriate authority. As a security best practice,
log on to your computer using an account that is not in the Administrators
group, and then use the Run as command to run IIS Manager as an
administrator. From the command prompt, type runas
/user:administrative_accountname "mmc
%systemroot%\system32\inetsrv\iis.msc".

To enable Integrated Windows authentication

In IIS Manager, right-click the Web Sites folder, Web site, directory,
virtual directory, or file, and click Properties.
Note Configuration settings made at the Web Sites folder level can be
inherited by all Web sites.

Click the Directory Security or File Security tab, depending upon what level
you are configuring security settings.
In the Anonymous access and authentication control section, click Edit.
In the Authenticated access section, select the Windows Integrated
Authentication check box.
Click OK twice.


Saludos,
Iván


"Maribel" escribió en el mensaje
news:
HOLA !!
EN MI SITIO WEB CONTROLO EL ACCESO MEDIANTE LA AUTENTICACION INTEGRADA DE
WINDOWS.
ESTE IIS ESTA UBICADO EN EL SERVIDOR QUE ES CONTROLADOR DE DOMINIO.
ESTE SERVIDOR AL QUE ME REFIERO TIENE INSTALADO EL SMALL BUSINESS SERVER.

ES NORMAL QUE CADA VEZ QUE ACCEDEMOS A DICHO SITIO WEB DESDE LA INTRANET,
TENGAMOS QUE INDICAR EL NOMBRE DE USUARIO Y CONTRASEÑA ?? YO TENÍA


ENTENDIDO
QUE ÉSTA AUTENTICACIÓN HACÍA USO DEL NOMBRE Y CONTRASEÑA INTRODUCIDOS AL
INCORPORARNOS AL DOMINIO Y POR TANTO NO ES NECESARIO INDICARLA UNA Y OTRA
VEZ.
ALGUNA AYUDA ??
SALUDOS.


Preguntas similares