1

We have a few intranet applications currently using Integrated Windows Authentication in IIS 6.0 that we are considering making available externally (employees would be able to log in from home on the internet). Just to be clear, this means that in the Directory Security dialog, the Integrated Windows Authentication box is checked and all other checkboxes are unchecked.

We want to keep the Active Directory tie in for username and password, so I've been doing some research about which direction to move. After reading quite a bit about windows authentication, some things still aren't clear to me.

Here are the questions I have:

  1. If I move the existing application as-is to a public site, will the integrated authentication still work from home?

  2. If it does work, is the password still secure? I was thinking the answer is yes, but I don't know exactly how this would work if I used Firefox on my Mac at home to log in, etc. Would SSL be recommended?

  3. Even if it does work, should we really be using integrated authentication on a public site? I can make this happen but it's extra code and we would lose the automatic sign-in for employees using the site at work.

Shea Daniels
  • 143
  • 4

1 Answers1

3
  1. No. If I understand you correctly, the computers at home are not logged in to the domain. So Integrated authentication won't work. I think that in this scenario IIS fall back to basic authentication.
  2. No. If IIS fall back to basic authentication then it's not secure. You have to use SSL to make it secure.
  3. You can use basic authentication on the internet with ssl. And still use integrated authentication on the LAN. You won't lose the automatic sign-in.
Igal Serban
  • 1,575
  • 10
  • 6