Correct. I left out the detailed information as it may not be relevant
to the original posters environment.
But to clear things up, yes, i did assume there would be authentication
via ntlm or some other method. As of IE 6, the default behavior is
attempt to log in with the current user's credentials when challenged
(provided the client and server are in the same domain). The only other
browser I've tested was Firefox which requires the user to manually log
in. IIS would have to be configured to not allow anonymous access and
use integrated windows authentication (or digest, but I havent tested
that). .NET then as methods for easily accessing the user name.
Adam Tuliper wrote:
> One thing to note is unless authentication is enabled on the webserver
> you won't get this information.
> Im going on the assumption that Josh didn't make note that there would
> be authentication, sounded like its already a trusted internal
> environment. If the server doesn't prompt the client for
> authentication, this information won't be sent in the request headers.
> I believe IE will first send the current logged on user named when
> prompted by the webserver (although I seem to recall this behavior was
> changed because of a MITM attack that you can do with the ntlm
> challenge/response but I could be wrong). If you arent going to
> actually use the information for any actual authentication you would
> need to write an isapi filter (iis assuming) etc. to prompt the
> client, and discard the result and then allow access.
>
>
>
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
--------------------------------------------------------------------------
Received on Mar 09 2006
Intro
