login      my ps      about      contact  



home instructor-led training online training blogs


Security Briefs » Internet Explorer and authentication

Internet Explorer and authentication

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

A former student (let's call him Joe) sent me mail the other day. He was wondering why sometimes when he surfs to an internal website he is prompted for credentials, when the site is configured for integrated authentication. “Shouldn't it just happen automatically?” he asked. Apparently after he types in his Windows user name and password (the same account he's logged in with, by the way), things work great.

If you ever see one of those popups and you're surprised like Joe was, glance down at the status bar (you may have to turn the stupid thing on again if it's been turned off on you, but that's another post). Look and see what zone that website is in. If it's the Internet zone, you're most likely just running into a security feature that IE implements to help protect your anonymity when surfing the web.

Bring up the Internet Options dialog and flip to the Security tab. Select the Internet zone, then press “Custom Level...” to see the details of the protections IE provides you when surfing Internet sites. If you scroll down a bit, you'll probably see something like this:

So why would a website inside of Joe's company be lumped in the “Internet” zone? Probably because Joe accessed it via a DNS name that had a dot in it (for example, http://www.pluralsight.com or http://192.168.0.22 as opposed to http://webbox). This is one heuristic that IE uses to figure out what's probably not in the “Local Intranet” zone. Anything that cannot be categorized in any other zone is automatically dropped into the Internet zone for safety sake.

If you have an internal website that use a lot and want to avoid being prompted for credentials, simply tell IE that this site should be considered part of the Local Intranet zone. You can do this by going to back to the Security tab and selecting the Local Intranet zone then pressing the “Sites...” button. If you look at the security settings for the Local Intranet zone, you'll see that it will automatically log you in without a prompt (of course if the website is using Basic authentication, this isn't possible because the website needs your cleartext password and you'll still be prompted).

For external websites that you trust, you can also add them to the “Trusted Sites” zone in the same fashion.

Posted Jun 26 2004, 09:40 AM by keith-brown
Filed under: ,

Comments

Al wrote re: Internet Explorer and authentication
on 05-27-2005 7:40 AM
So, given what you have said, which will be more secure to internal networks, intranet or trusted sites if you use a wild card setting? Thanks,
Keith Brown wrote re: Internet Explorer and authentication
on 05-27-2005 8:51 AM
Not sure what you mean by a wild card setting, but you can compare the two levels and decide which is more appropriate for your scenario. They differ in different dimensions. Trusted Sites allows download of signed ActiveX controls without prompting, while Intranet requires a prompt by default.

But .NET Code Access Security policy grants downloaded apps in the Intranet zone more freedom (medium trust) than apps in Trusted Sites (low trust). Go figure.

You can adjust all this stuff to suit your needs though. Just tweak the zone security settings by selecting "Custom Level".

Josh wrote re: Internet Explorer and authentication
on 07-02-2005 11:55 AM
OK, this make sense for Intranet Zone. Now tell me, what if Joe looks down at his status bar and sees "Trusted Site"? All other sites under "trusted sites" will open without prompting for authentication (using windows credentials). And the real kicker is that Joe has been to this site many times before and it never asked for his credentials then, but it is now. (entering his credentials manually grants him access to the page until he restarts his browser)

What would you tell Joe?
Keith Brown wrote re: Internet Explorer and authentication
on 07-02-2005 2:38 PM
I'd tell Joe that the website has likely flipped to using Basic authentication instead of Integrated. You see, your logon session does not cache your full password when you log in to Windows - it hashes it and keeps that hash as a secret that can be used to do integrated authn.

But Basic requires the cleartext password. Your browser asks you for this, then remembers the password as long as you keep the browser open.

Anyway, that's what it sounds like to me.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation