Internet user being prompted for authentication

  • Article

A few days back I got an interesting case. The customer was trying to access a site (https://www.site1.com) deployed on DOMAIN1 domain with Integrated and Basic Authentication enabled in IIS. When the user browses the site from Internet, and doesn’t prefix the username with DOMAIN1, he/she doesn’t get authenticated and the login pops up again with site1.com prefixed with the username. They needed to prefix DOMAIN1 with the username in such a case so that the authentication is successful even if the user types only his/her username in the login prompt.

 

This is an application which would be used by the employees using internet or intranet. The customer didn't want to uncheck integrated authentication since he didn't want intranet users to login to the application. However he wanted internet users to be prompted for keying in the username and password. I felt that the customer's requirement very legitimate.

 

However while using both Integrated and Basic authentication on the application, the browser determines which method is used. This is a by design behavior as per the following KB

https://support.microsoft.com/?id=264921

Excerpts from the section – “Orders of precedence”

If both Basic and Windows Integrated are supported, the browser determines which method is used. If the browser supports Kerberos or Windows NT Challenge/Response, it uses this method. It does not fall back to Basic. If Windows NT Challenge/Response and Kerberos are not supported, the browser uses Basic, Digest, or Fortezza if it supports these. The order of precedence here is Basic, Digest, and then Fortezza.

Hence we can say that the authentication is never falling to Basic and the prompt that we are seeing is the NTLM prompt since Kerberos authentication failed. The DEFAULT DOMAIN and the REALM property are valid for basic authentication and thus will not work in this scenario, since the authentication never falls on Basic.

https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f85f0f16-4fea-4852-980c-4982d53c9948.mspx?mfr=true

Possible workarounds:

==================

1. We might have two websites referring to the same contents (one used by internet users and the other by the internal/intranet users).

2. We can redirect the user to a custom page whenever there is an authentication failure and provide the instructions to the users to use the username as domain\user.

3. We could also have a home page before the login page that can use anonymous auth and displays instructions to use username as domain\user. However I am a little skeptical about this solution!

4. We can create a custom ISAPI filter to change the PREPROC header notifications as in IIS7.

 

If I have missed something, please leave me a comment.