IIS security

[rr236]

I have a website that uses an ACL (access control list) to ensure only my group have access to the documents contained in the directory.

Obviously I don't want the user name and passwords to be sent in the clear across the internet, so I set up the authentication to be challenge response.

As expected MS IE sends your username and password automatically, if you are logged onto a NT network. However if your username and password doesn't match that being expected, IIS doesn't challenge you, and therefore you don't get a chance to enter a username and password.
All you get is HTTP Error 401.
401.2 Unauthorized: Logon Failed due to server configuration

This error indicates that the credentials passed to the server do not match the credentials required to log on to the server. This is usually caused by not sending the proper

http://WWW-Authenticate

header field.

Please contact the Web server's administrator to verify that you have permission to access to requested resource.

I came across the problem after trying to view the site from a colleagues desk.

Anybody have any idea as to what server configuration is required to ensure that users at leaast get one attempt to enter a username and password. Everyone here is using IE5.0, and having just rolled that out there's zero chance of upgrading to 5.5 (assuming it's a bug in IE, which I doubt).

Thanking you in advance. [sig][/sig]

 

[rr236]

Just figured out what the problem is.

This type of security is not supported if the user is accessing your site via a proxy server, which basically means that you have to send your passwords in the clear (as just about every body in a business environment is using a proxy server (by the way, this method of security doesn't work if you're using a firewall) unless you want to encrypt via a web server using SSL. The only problem with this is to get people to use https rather than http.

What a pain.... [sig][/sig]