locked
Windows authentication is not challenging browsers out of the domain RRS feed

  • Question

  • User1174547675 posted

    I have a web application that allows anonymous access and windows authentication.

    Basically, the app try to auto-login users by windows authentication if the windows user is in a user list in the application, otherwise it shows the login screen. If no credential is provided, the app then shows a login screen where the user could login using a application internal user.

    As far as I know, Windows Authentication is a challenging protocol, so I have to return an Unauthorized in order to force the browser to send the credentials.

    It works great when are machines inside my domain.

    Machine in my domain which the user is in the list:

    • browser issue request with no credentials.
    • web app custom authorize filter reject the connection (challenge).
    • browser reissue the request with the windows credentials.
    • web app authenticates that windows user and allow it get it.

    Machine in my domain which the user is not in the allowed list:

    • browser issue request with no credentials.
    • web app custom authorize filter reject the connection (challenge).
    • browser reissue the request with the windows credentials.
    • web app fails to authenticate the request and redirect to the login screen.

    Now comes the problem.

    Machine out of my domain which the user is not in the allowed list:

    • browser issue request with no credentials.
    • web app custom authorize filter reject the connection (challenge).
    • browser shows a windows login screen, and it doesn't reissue the request.

    Why the request is not reissued when the server is returning unauthorized?

    If I close the auth dialog, and refresh the browser, then the app redirects to the login page.

    Regards.

    Tuesday, September 6, 2011 6:19 AM

Answers

  • User1174547675 posted

    Browser only send the credentials if the server is in the same domain.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 3, 2011 10:40 AM