Integrated web server authentication - security?
We have our own web server that hosts our website, which is open to the public outside of our network.
I have a request to make an Internal Publications link on our Careers page to authenticate a user to our Active Directory list on the network.
I currently have a setup, so the link goes to a page inside the directory structure on the website, and the folder of that page is set to Integrated Windows Authentication. Anonymous access is disabled for this page. If the user is authenticated (that is: registered on our network or provided the correct credentials), they submit them to the external career website where our jobs are posted. If they are not authenticated, a special 401 error page is displayed.
This works great, but there is a problem with it. Using IE, people can't just type in their username. They (of course) must also enter the domain name. Unfortunately, the default for "domain" is our website URL (www.xyz.com/username). I would like it to automatically pick our internal domain name (aaa / username), but not sure how.
Another option is to use LDAP and some ASP scripts to authenticate the user. I already have this code, but I'm not sure about the implications of this. Basically, the page will be configured for anonymous authentication, and if the user is not logged into our network, they will be prompted for a username / password using standard text fields. It is then passed to an ASP script that performs an LDAP lookup against our Active Directory. Are there any security issues with this method?
Which method would you choose?
Thank.
EDIT: I can't seem to authenticate to ActiveD via LDAP using the username / password command. So forget about this option.
Now my question is, how can I change the "default" domain used by IWA? Is it possible? By default, IE defaults to "www.xyz.com \ username" (my site), not "aaa \ username" (my domain name). Of course www.xyz.com \ username fails because this is not where our ActiveD is located ... Is this possible? I want to make it as easy as possible for our employees.
source to share
You cannot authenticate a user with a script that looks for a user in LDAP. You should know that the user is the one who claims to be the case, and the only way to do this is to let NTLM / Kerberos authenticate the user (i.e., establish proof that the user knows the secret stored in AD, the password).
source to share
The website URL for the set of sites in question is in the local intranet zone for IE browsers running on the intranet. By default, sites considering a local intranet will be sent with the current user credentials when affected by NTLM / Kerberos. Hence, your internal users shouldn't even see the network login.
source to share
I don't like to scoop on the old thread, but the answers are a little misleading if I understand the question. Remus replica refers to authentication via LDAP with username only. As he points out, this is not possible. But it looks like, according to Colin, authenticates via LDAP with a username and password. This is a standard practice called binding .
source to share