Last post Aug 18, 2011 08:26 AM by gww
Oct 29, 2003 09:49 AM|ds1bearcat|LINK
Oct 29, 2003 04:34 PM|dunnry|LINK
Oct 30, 2003 04:48 PM|ds1bearcat|LINK
Oct 31, 2003 10:38 AM|dunnry|LINK
Aug 16, 2011 11:43 PM|zanigh|LINK
Hi Dunny, hope you can still get this message well. Anyway, I have a similar issue here. we have a IIS website with Windows Authentication and with Annoymous Login disabled. Then we have a monitoring software which is like a service and it is trying to ping
the website to monitor the web availability. The service itself is logged on through an account which is an authorized user of the website, however, the monitoring process that this service created does not seem to be able to pass the windows authentication
because it is basically trying to pass in strings/codes/GET Queries, and causing the response code to be 401. If we enable annoymous login, it will work fine and the response code will be 200. However, best practice is that we should NOT enable annoymous login.
So is there a way i can work around this to allow the service to authenticate itself to the website?
Aug 18, 2011 08:26 AM|gww|LINK
Just to be certain I understand, what you are saying is that there is no way possible to use querystring parameters to login to the domain? So, in the following example: Page 1 (forms authentication) --- Page 2 (windows authentication) If we have them login
to Page 1, there is no means for us to pass in their login information to Page 2. Is this correct? Thanks!
With Windows Authentication there is no need to pass any credentials since it will pull the token from the client machine and authorize the person logged on to access the site (depending on any custom security settings you have). A user on your network accessing
a site on your network setup with windows authentication should see a seemless login.
If you use forms authentication on the first page and the user provides their network user name and password you could pass that information in a query string if you wanted to and then use impersonation on the second page. But that information would need
to be a user with an account active directory. I can see only doing this if you want other people to log into the site on a computer they did not log into or if this 3rd party site is off your network. And if this 3rd party site is off your network you wouldnt
want people storing their network user name and password on there anyway. And passing login information through a query string has security issues.
Best bet if the 3rd party site is off your network is to look up some sort of single sign-on solution.