I have an Intranet site hosted internally on my local LAN. I have translated a public IP to it via my PIX Firewall and opened ports 443 and 80 to that internal web server.
Currently, the site is setup something like this:
Windows 2003 Web Edition
IIS Settings
Website (Anonymous Access to root, including default.htm page, no SSL)
- Default.htm (redirects to (below virtual directory))
- Website Virtual Directory (SSL required, Basic Authentication required only, contains the website files)
So basically, everyone has access to the default.htm file which redirects to the SSL’ed and authentication secure sub virtual directory. The authentication being used is from our LDAP (AD Windows 2003).
I have a feeling that the password being used during authentication can be easily compromised since we are using basic authentication.
Question 1, is the authentication for the Virtual Directory being sent in clean text first, then redirecting to the SSL site or is the authentication taking advantage of the SSL security?
I know what some of you might be thinking: Why don’t you beef up your authentication security method. Well I tried that.
I tried Integrated Windows Authentication, but I was not prompted for security credentials, and got a “Page could not be displayed” error.
I tried “Digest Authentication”, which prompted me for a username and password. I tried username and password only, username@domain.local and password, and domain\username but it would not take my credentials.
Basic authentication prompts me for credentials and works fine.
The machine I am authenticating from is a part of the domain. When trying to authenticate, I connect to a generic DSL line that is not connected to our domain.
Any thoughts on my problems?
Currently, the site is setup something like this:
Windows 2003 Web Edition
IIS Settings
Website (Anonymous Access to root, including default.htm page, no SSL)
- Default.htm (redirects to (below virtual directory))
- Website Virtual Directory (SSL required, Basic Authentication required only, contains the website files)
So basically, everyone has access to the default.htm file which redirects to the SSL’ed and authentication secure sub virtual directory. The authentication being used is from our LDAP (AD Windows 2003).
I have a feeling that the password being used during authentication can be easily compromised since we are using basic authentication.
Question 1, is the authentication for the Virtual Directory being sent in clean text first, then redirecting to the SSL site or is the authentication taking advantage of the SSL security?
I know what some of you might be thinking: Why don’t you beef up your authentication security method. Well I tried that.
I tried Integrated Windows Authentication, but I was not prompted for security credentials, and got a “Page could not be displayed” error.
I tried “Digest Authentication”, which prompted me for a username and password. I tried username and password only, username@domain.local and password, and domain\username but it would not take my credentials.
Basic authentication prompts me for credentials and works fine.
The machine I am authenticating from is a part of the domain. When trying to authenticate, I connect to a generic DSL line that is not connected to our domain.
Any thoughts on my problems?
