2

Within the Windows Security authentication mechanism active, there are cases the user-login popup comes up. Are this username and password sent encrypted or they are sent as plain-text as the auth-basic protocol does?

I wrote a more detailed question here:

http://forums.iis.net/t/1226390.aspx?Security+behind+Windows+Security+Integration

becasue this site was not working before.

If I well understood the following answer:

How secure is Integrated Windows Authentication for IIS SMTP?

The fact relies on the protocol that make the request but I doubt if the protocol set at the address bar (http | https) is taking into account when the header("WWW-Authentication") is request. Since that answer was for SMTP I am still with the doubt for HTTP.

Could anybody confirm how secure is it, please? Thanks in advance for your time.

Community
  • 1
manou
  • 23
  • 3

1 Answers1

1

If you have Windows Authentication on IIS you are effectively allowing the following protocols:

  • NTLM
  • Kerberos
  • Negotiate - which automatically chooses one of the above to use.

If it is your internet users that are getting the prompt, it is most likely that they will not authenticate with Kerberos unless you have internet facing authentication and ticket granting servers. Therefore the response derived from the NTLM hash will be sent over the wire as cleartext. This does not expose the password itself though, but the challenge/response can be sniffed. It would also be possible to intercept and/or modify the session whilst in transit.

To secure this you should implement SSL/TLS so that your server encrypts the connection - it will have a HTTPS URL. This will prevent any eavesdroppers or Man-In-The-Middle intercepts of the connection and authentication data.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178