locked
Windows credentials being cached by user RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User190400790 posted

    Hi there,

    I'm hosting a form on IIS that requires windows authentication to log in. This works completely fine, however, when the user logs in for the first time their device caches their credentials so that when they next load the page they're taken straight to the form and they do not have to log in again. Since my form gives the user to certain confidential data I want to make sure the user has to log in on every page load.

    The only way currently I've been able to make the form request credentials again is by clearing the cache manually on the device itself.

    Is there any way to prevent credential caching or making the user log in every time via IIS?

    Headers like cache-control do nothing because these are loaded after the user logs in and credentials are cached. (identity impersonate is already set to false)

    Thanks, Alex.

    Friday, September 11, 2020 2:00 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-848649084 posted

    Hi,

    Windows by default are set up to use automatic logins. all the chromium-based browsers use this setting to automatically try and authenticate the current Windows User when an NTLM or Negotiate 401 request is received logging you in with your current Windows or AD account.

    You can change this behavior and explicitly force Windows to always authenticate instead by using the Internet Settings from the taskbar, then digging into the Local Intranet → Custom Level. At the bottom of the list you'll find an option to specify how Windows logins are handled:

    Monday, September 14, 2020 5:45 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User190400790 posted

    Hi Jalpa,

    Thanks for the reply. It was my mistake for not pointing out what device this application will be used on. It will be mostly used on mobile devices (with the majority being iPhones). Is there any way to do this for Safari / not using local intranet? The form will be accessible from outside our local network.

    Monday, September 14, 2020 8:35 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-848649084 posted

    Hi,

    First, make sure that the windows authentication is working on the ios or not. you could use the iis http response header to clear client cache.

    https://docs.microsoft.com/en-us/iis/configuration/system.webserver/staticcontent/clientcache

    Wednesday, September 16, 2020 9:06 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User190400790 posted

    Hi Jalpa,

    Yep windows authentication is working fine on IOS. There is a prompt for username and password then takes the user to the site when a correct domain login is entered.

    Unfortunately setting "Expire Web content" causes an infinite load loop to occur on the form.

    Also trying to set clientCache in web.config just produces a 500 error.

    Wednesday, September 16, 2020 8:25 PM