I have always enabled integrated security on my web apps inside IIS with the assumption that the passwords that are requested on the client end will always be transmitted securely (encrypted) to my authentication server (AD/LSA). Am I correct on my assumption? The reason I have always assumed this is 'coz I always think of them as being very similar to authenticating a windows client with an AD in which case the client & server will either employ NTLM or Kerberos for authentication where the passwords are always encrypted.
views:
120answers:
2
+2
A:
No. The passwords are not even sent to the domain controller when authentication is performed. There is a challenge/response type algorithm which occurs, which prevents the need to do this, and is a lot more secure than passing the password around.
Dave Markle
2009-07-01 20:28:33
I am realy not sure what do you mean when you say it is not even sent to domain controller. I can login as any domain/local user in my login dialog and if my AD/LSA is not authenticating, who do you think is doing the authentication?
msvcyc
2009-07-01 20:35:49
It's authenticating, but it's not sending the password. It's sending a value which could only be computed if you knew the password. It's only necessary to prove that you know the password. It's not necessary to send the password in order to prove that you know the password.
John Saunders
2009-07-02 03:44:04
A:
This is probably a better ServerFault question but if you aren't using Basic Auth for the password, and are using NTLM, then the transmission of the password is encrypted. (It also only works in IE).
Jeff Martin
2009-07-01 20:29:46
I hope by NTLM you are referring to the integrated windows authentication option within my web application's Directory Security Tab's Authentication and access control option. However, why do you say it works only for IE. I can get authenticated even via FireFox with no issues.
msvcyc
2009-07-01 20:40:38
I am maybe working on old information. Firefox used to not support the NTLM authentication type in IIS.
Jeff Martin
2009-07-02 17:53:23