Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Browser login with Windows domain login

RE: Browser login with Windows domain login

From: Scovetta, Michael V <Michael.Scovetta_at_ca.com>
Date: Thu, 8 Apr 2004 11:16:12 -0400

Steven,
   This depends greatly on your application:
ASP on Windows Server:
   built in, just enable "Windows Integrated Authentication" in IIS
Tomcat/JBoss/etc on Windows Server:
   use JK or JK2 (ISAPI filter for IIS that passes authentication through)
Tomcat/JBoss/etc on non-Windows Server:
   take a look at jCIFS (jcifs.samba.org) -or-
   use JK or JK2 on a Windows server that will pass the request to the non-Windows server
Crazy setup (Perl/CGI/Ruby/whatever)
   use a Windows server to authenticate, then homebrew a **secure** method of transferring
    the username to your web application (back-end channel with request token? encrypted
    token? something like that)

Unfortunately, only IE supports this "silent" authentication. It'll actually use either NLTM or Kerberos, depending on the version of IE, the version of Windows it's running on, and the settings on the IIS server. Mozilla/Fire[bird|fox] support it too, but they'll always
pop up a prompt for it. (that would be a nice plugin for Moz, to do it silently, wink wink nudge nudge).

That's my brain-dump on this. Hope it helps.

Michael Scovetta

-----Original Message-----
From: stevenr_at_mastek.com [mailto:stevenr_at_mastek.com]
Sent: Thursday, April 08, 2004 9:22 AM
To: webappsec_at_securityfocus.com
Subject: Browser login with Windows domain login

Hi

I needed some pointers/links/tips from you folks on a problem.

I have a web-based application. Is it possible to sign in a user into
the browser based application transparently based on the windows NT
domain login. By this I mean that when the user opens the browser and
types in the URL, the client machine should automatically send the user
credentials to the application. FYI, the windows domain login is
authenticated against Microsoft Active Directory.

If this is possible, can anyone point me to some sites/tutorials? I have
googled but have not come up with anything useful, hence this mail.

Are there any known vulnerabilites with this kind of approach for web
based logins?

Any help would be appreciated.

Thanks
Steve

MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Received on Apr 08 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]