 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / IIS / IIS General Topics / July 2008unwanted authentication prompt - unusual situation
I have an unusual situation - a folder within a public website on a server running IIS 6.0 has permissions set to allow anyone to browse to the folder and view its contents without a default page. No problem - browse to the folder and view contents without index.html. However, ONE folder within this 'public' folder is protected by an authentication program installed on the server called Authentix, which uses basic authentication to verify usernames and passwords located in a database (ODBC connection). I can browse to any of the 'public' folders without a problem initially, then if the 'authentix protected' folder is accessed via username and password and then closed, when I try to browse to one of the 'public folders' AFTER the protected area, I get an UNWANTED username and password prompt, not by the authentix protection program, but a generic IIS authentication prompt. Any way to avoid this? Dee Holzman Probably by design and i think it works like this (i don't know exactly how this Authentix software works): When you browse the unprotected files, there is no problem. When you go to the protected folder, the server responses with a 401 asking for authentication. The browser asks the user for credentials. Once this is done, the browser has cached the credentials, and will not ask the the user for the username and password anymore (but must still send them to the server on each request). This works as long as the user navigates in the protected folder, because the username and password can be matched on the server. But once the user navigates away from the protected folder, the browser will continue to use the username and password supplied, and send it to the server. Since the authentication is now handled by IIS, it notices that the username and password is incorrect (there is no matching windows user), and tells the browser that it will not accept the username and password it is trying to use (authentication prompt shows). So my guess is that the problem is "by design" because the browser tries to be user friendly and "cache" the username and password, but don't understand when to use it and when to not use it. You can verify that my guess is correct by checking in the IIS log file. The status codes gives you a great clue what is going on.  SignatureRegards, Kristofer Gafvert http://www.gafvert.info/iis/ - IIS Related Info >I have an unusual situation - a folder within a public website on a server >running IIS 6.0 has permissions set to allow anyone to browse to the folder [quoted text clipped - 14 lines] > > Dee Holzman Yes Kristofer - that makes perfect sense - I will have the host provider check the logfile. I'm wondering if there is javascript or something that I can add to the links to the unprotected folders & pages to prevent the browser from trying to pass the cached username and password back to the server. > Probably by design and i think it works like this (i don't know exactly > how this Authentix software works): [quoted text clipped - 40 lines] >> >> Dee Holzman If you want your public folder to not ask for authentication, then just configure IIS to only require Anonymous authentication for it. IIS will never ask you for a password (when properly configured) no matter what the client does. Depending on how AuthentiX works, that protected directory may need either Anonymous or Basic authentication enabled in IIS. In general, having multiple authentication providers (i.e. both IIS and AuthentiX) active in an URL namespace is dangerous and full of such surprises. Almost all such surprises are either server misconfiguration, bugs in the custom authentication provider, or user misunderstanding of the authentication provider's capabilities. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // > I have an unusual situation - a folder within a public website on a server > running IIS 6.0 has permissions set to allow anyone to browse to the folder [quoted text clipped - 14 lines] > > Dee Holzman Thank you David - this also makes sense - I appreciate your help, Dee Holzman If you want your public folder to not ask for authentication, then just configure IIS to only require Anonymous authentication for it. IIS will never ask you for a password (when properly configured) no matter what the client does. Depending on how AuthentiX works, that protected directory may need either Anonymous or Basic authentication enabled in IIS. In general, having multiple authentication providers (i.e. both IIS and AuthentiX) active in an URL namespace is dangerous and full of such surprises. Almost all such surprises are either server misconfiguration, bugs in the custom authentication provider, or user misunderstanding of the authentication provider's capabilities. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Jul 28, 9:33 am, "Dee Holzman" <d...@gorgekids.com> wrote: > I have an unusual situation - a folder within a public website on a server > running IIS 6.0 has permissions set to allow anyone to browse to the [quoted text clipped - 17 lines] > > Dee Holzman |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.