Jump to content

Recommended Posts

Guest ThatsIT.net.au
Posted

I am currently setting up a intranet that will not be available from outside

the network, also a extranet that will be available from outside the

network.

The extranet has basic authentication and SSL. it passes though a ISA 2000

firewall and for various reasons we need to use basic authentication, but as

it is over SSL it is encrypted so it does not matter that basic uses clear

text.

Certain pages that need to be accessed from outside I will put on the

extranet but I don't want to have to recreate these pages on the intranet

also so internal users will access these pages from the extranet.

All seems fine but one point. when internal users access the extranet they

are prompted to log in, even though their browsers are set to log in

automatically with current username and password. this is annoying to say

the least.

Is there any solution?

Is this normal for basic over SSL to prompt even when set to auto login in

IE?

any suggestions

Guest jwgoerlich@gmail.com
Posted

Re: Auto log in with basic authentication

 

There is no workaround. The automatic login option in IE works with

integrated authentication only. This is because basic authentication

exposes the password (at both the network and application layers).

Prompting the user is meant as an additional security precaution to

address this exposure.

 

Can you enable both integrated and basic authentication on this

intranet site?

 

Regards,

 

J Wolfgang Goerlich

 

On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

> I am currently setting up a intranet that will not be available from outside

> the network, also a extranet that will be available from outside the

> network.

> The extranet has basic authentication and SSL. it passes though a ISA 2000

> firewall and for various reasons we need to use basic authentication, but as

> it is over SSL it is encrypted so it does not matter that basic uses clear

> text.

> Certain pages that need to be accessed from outside I will put on the

> extranet but I don't want to have to recreate these pages on the intranet

> also so internal users will access these pages from the extranet.

> All seems fine but one point. when internal users access the extranet they

> are prompted to log in, even though their browsers are set to log in

> automatically with current username and password. this is annoying to say

> the least.

> Is there any solution?

> Is this normal for basic over SSL to prompt even when set to auto login in

> IE?

> any suggestions

Guest Scott McDaniel
Posted

Re: Auto log in with basic authentication

 

On Fri, 27 Jul 2007 23:07:58 +0800, "ThatsIT.net.au" <me@thatsit> wrote:

 

In addition to microsoft.public.inetserver.iis.security and microsoft.public.security, you've posted this message to the

"microsoft.public.access" newsgroup, which is devoted to security matters involving Microsoft Access, the database

product.The name of this group is somewhat misleading, however this group has nothing to do with the other two (which

are, apparently, relevant to your issue).

 

>I am currently setting up a intranet that will not be available from outside

>the network, also a extranet that will be available from outside the

>network.

>The extranet has basic authentication and SSL. it passes though a ISA 2000

>firewall and for various reasons we need to use basic authentication, but as

>it is over SSL it is encrypted so it does not matter that basic uses clear

>text.

>Certain pages that need to be accessed from outside I will put on the

>extranet but I don't want to have to recreate these pages on the intranet

>also so internal users will access these pages from the extranet.

>All seems fine but one point. when internal users access the extranet they

>are prompted to log in, even though their browsers are set to log in

>automatically with current username and password. this is annoying to say

>the least.

>Is there any solution?

>Is this normal for basic over SSL to prompt even when set to auto login in

>IE?

>any suggestions

>

 

Scott McDaniel

scott@takemeout_infotrakker.com

http://www.infotrakker.com

Guest ThatsIT.net.au
Posted

Re: Auto log in with basic authentication

 

 

"Scott McDaniel" <scott@NoSpam_Infotrakker.com> wrote in message

news:ol6ka3li7vdcua9qrn56n6ttoef7kkghhi@4ax.com...

> On Fri, 27 Jul 2007 23:07:58 +0800, "ThatsIT.net.au" <me@thatsit> wrote:

>

> In addition to microsoft.public.inetserver.iis.security and

> microsoft.public.security, you've posted this message to the

> "microsoft.public.access" newsgroup, which is devoted to security matters

> involving Microsoft Access, the database

> product.The name of this group is somewhat misleading, however this group

> has nothing to do with the other two (which

> are, apparently, relevant to your issue).

>

 

 

Sorry

 

>

>>I am currently setting up a intranet that will not be available from

>>outside

>>the network, also a extranet that will be available from outside the

>>network.

>>The extranet has basic authentication and SSL. it passes though a ISA 2000

>>firewall and for various reasons we need to use basic authentication, but

>>as

>>it is over SSL it is encrypted so it does not matter that basic uses clear

>>text.

>>Certain pages that need to be accessed from outside I will put on the

>>extranet but I don't want to have to recreate these pages on the intranet

>>also so internal users will access these pages from the extranet.

>>All seems fine but one point. when internal users access the extranet they

>>are prompted to log in, even though their browsers are set to log in

>>automatically with current username and password. this is annoying to say

>>the least.

>>Is there any solution?

>>Is this normal for basic over SSL to prompt even when set to auto login in

>>IE?

>>any suggestions

>>

>

> Scott McDaniel

> scott@takemeout_infotrakker.com

> http://www.infotrakker.com

Guest ThatsIT.net.au
Posted

Re: Auto log in with basic authentication

 

 

<jwgoerlich@gmail.com> wrote in message

news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

> There is no workaround. The automatic login option in IE works with

> integrated authentication only. This is because basic authentication

> exposes the password (at both the network and application layers).

> Prompting the user is meant as an additional security precaution to

> address this exposure.

>

> Can you enable both integrated and basic authentication on this

> intranet site?

>

 

 

I think i did try that combination before, i will try again,

 

sorry just tried it seems to be working.

 

> Regards,

>

> J Wolfgang Goerlich

>

> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>> I am currently setting up a intranet that will not be available from

>> outside

>> the network, also a extranet that will be available from outside the

>> network.

>> The extranet has basic authentication and SSL. it passes though a ISA

>> 2000

>> firewall and for various reasons we need to use basic authentication, but

>> as

>> it is over SSL it is encrypted so it does not matter that basic uses

>> clear

>> text.

>> Certain pages that need to be accessed from outside I will put on the

>> extranet but I don't want to have to recreate these pages on the intranet

>> also so internal users will access these pages from the extranet.

>> All seems fine but one point. when internal users access the extranet

>> they

>> are prompted to log in, even though their browsers are set to log in

>> automatically with current username and password. this is annoying to say

>> the least.

>> Is there any solution?

>> Is this normal for basic over SSL to prompt even when set to auto login

>> in

>> IE?

>> any suggestions

>

>

Guest ThatsIT.net.au
Posted

Re: Auto log in with basic authentication

 

Actually I think I spoke too soon.

 

we have some laptops that need to connect though PC mobile phone cards. for

some reason I'm not sure they do not seem to want to connect to the web site

with intergraded security, I think this is what happened last time I choose

this configuration. I don't have one with me at the moment I would have to

wait till Monday to find out for sure.

 

This brings up another question. why wont the laptop's authenticate with

windows authentication when connecting with pc mobile phone cards?

 

"ThatsIT.net.au" <me@thatsit> wrote in message

news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>

> <jwgoerlich@gmail.com> wrote in message

> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>> There is no workaround. The automatic login option in IE works with

>> integrated authentication only. This is because basic authentication

>> exposes the password (at both the network and application layers).

>> Prompting the user is meant as an additional security precaution to

>> address this exposure.

>>

>> Can you enable both integrated and basic authentication on this

>> intranet site?

>>

>

>

> I think i did try that combination before, i will try again,

>

> sorry just tried it seems to be working.

>

>

>> Regards,

>>

>> J Wolfgang Goerlich

>>

>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>> I am currently setting up a intranet that will not be available from

>>> outside

>>> the network, also a extranet that will be available from outside the

>>> network.

>>> The extranet has basic authentication and SSL. it passes though a ISA

>>> 2000

>>> firewall and for various reasons we need to use basic authentication,

>>> but as

>>> it is over SSL it is encrypted so it does not matter that basic uses

>>> clear

>>> text.

>>> Certain pages that need to be accessed from outside I will put on the

>>> extranet but I don't want to have to recreate these pages on the

>>> intranet

>>> also so internal users will access these pages from the extranet.

>>> All seems fine but one point. when internal users access the extranet

>>> they

>>> are prompted to log in, even though their browsers are set to log in

>>> automatically with current username and password. this is annoying to

>>> say

>>> the least.

>>> Is there any solution?

>>> Is this normal for basic over SSL to prompt even when set to auto login

>>> in

>>> IE?

>>> any suggestions

>>

>>

>

>

Guest Roger Abell [MVP]
Posted

Re: Auto log in with basic authentication

 

Remember that use of integrate authentication behind the scenes is

not just a matter of whether the website is configured to negotiate

its use. The browsing client (i.e. IE) must also be configured to

allow its use (in the Internet Options on the Advanced tab) and the

site must be recognized as one with which it will attempt is use

(usually that mean recognizing the site as being in the intranet

zone).

 

Roger

 

 

"ThatsIT.net.au" <me@thatsit> wrote in message

news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

> Actually I think I spoke too soon.

>

> we have some laptops that need to connect though PC mobile phone cards.

> for some reason I'm not sure they do not seem to want to connect to the

> web site with intergraded security, I think this is what happened last

> time I choose this configuration. I don't have one with me at the moment I

> would have to wait till Monday to find out for sure.

>

> This brings up another question. why wont the laptop's authenticate with

> windows authentication when connecting with pc mobile phone cards?

>

> "ThatsIT.net.au" <me@thatsit> wrote in message

> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>

>> <jwgoerlich@gmail.com> wrote in message

>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>> There is no workaround. The automatic login option in IE works with

>>> integrated authentication only. This is because basic authentication

>>> exposes the password (at both the network and application layers).

>>> Prompting the user is meant as an additional security precaution to

>>> address this exposure.

>>>

>>> Can you enable both integrated and basic authentication on this

>>> intranet site?

>>>

>>

>>

>> I think i did try that combination before, i will try again,

>>

>> sorry just tried it seems to be working.

>>

>>

>>> Regards,

>>>

>>> J Wolfgang Goerlich

>>>

>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>> I am currently setting up a intranet that will not be available from

>>>> outside

>>>> the network, also a extranet that will be available from outside the

>>>> network.

>>>> The extranet has basic authentication and SSL. it passes though a ISA

>>>> 2000

>>>> firewall and for various reasons we need to use basic authentication,

>>>> but as

>>>> it is over SSL it is encrypted so it does not matter that basic uses

>>>> clear

>>>> text.

>>>> Certain pages that need to be accessed from outside I will put on the

>>>> extranet but I don't want to have to recreate these pages on the

>>>> intranet

>>>> also so internal users will access these pages from the extranet.

>>>> All seems fine but one point. when internal users access the extranet

>>>> they

>>>> are prompted to log in, even though their browsers are set to log in

>>>> automatically with current username and password. this is annoying to

>>>> say

>>>> the least.

>>>> Is there any solution?

>>>> Is this normal for basic over SSL to prompt even when set to auto login

>>>> in

>>>> IE?

>>>> any suggestions

>>>

>>>

>>

>>

>

>

Guest ThatsIT.net.au
Posted

Re: Auto log in with basic authentication

 

I will check this out on Monday.

 

But I can authenticate using LAN cable, but not though card.

 

ill get back to you on Monday if you are still around

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

> Remember that use of integrate authentication behind the scenes is

> not just a matter of whether the website is configured to negotiate

> its use. The browsing client (i.e. IE) must also be configured to

> allow its use (in the Internet Options on the Advanced tab) and the

> site must be recognized as one with which it will attempt is use

> (usually that mean recognizing the site as being in the intranet

> zone).

>

> Roger

>

>

> "ThatsIT.net.au" <me@thatsit> wrote in message

> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>> Actually I think I spoke too soon.

>>

>> we have some laptops that need to connect though PC mobile phone cards.

>> for some reason I'm not sure they do not seem to want to connect to the

>> web site with intergraded security, I think this is what happened last

>> time I choose this configuration. I don't have one with me at the moment

>> I would have to wait till Monday to find out for sure.

>>

>> This brings up another question. why wont the laptop's authenticate with

>> windows authentication when connecting with pc mobile phone cards?

>>

>> "ThatsIT.net.au" <me@thatsit> wrote in message

>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>

>>> <jwgoerlich@gmail.com> wrote in message

>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>> There is no workaround. The automatic login option in IE works with

>>>> integrated authentication only. This is because basic authentication

>>>> exposes the password (at both the network and application layers).

>>>> Prompting the user is meant as an additional security precaution to

>>>> address this exposure.

>>>>

>>>> Can you enable both integrated and basic authentication on this

>>>> intranet site?

>>>>

>>>

>>>

>>> I think i did try that combination before, i will try again,

>>>

>>> sorry just tried it seems to be working.

>>>

>>>

>>>> Regards,

>>>>

>>>> J Wolfgang Goerlich

>>>>

>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>> I am currently setting up a intranet that will not be available from

>>>>> outside

>>>>> the network, also a extranet that will be available from outside the

>>>>> network.

>>>>> The extranet has basic authentication and SSL. it passes though a ISA

>>>>> 2000

>>>>> firewall and for various reasons we need to use basic authentication,

>>>>> but as

>>>>> it is over SSL it is encrypted so it does not matter that basic uses

>>>>> clear

>>>>> text.

>>>>> Certain pages that need to be accessed from outside I will put on the

>>>>> extranet but I don't want to have to recreate these pages on the

>>>>> intranet

>>>>> also so internal users will access these pages from the extranet.

>>>>> All seems fine but one point. when internal users access the extranet

>>>>> they

>>>>> are prompted to log in, even though their browsers are set to log in

>>>>> automatically with current username and password. this is annoying to

>>>>> say

>>>>> the least.

>>>>> Is there any solution?

>>>>> Is this normal for basic over SSL to prompt even when set to auto

>>>>> login in

>>>>> IE?

>>>>> any suggestions

>>>>

>>>>

>>>

>>>

>>

>>

>

>

Guest Roger Abell [MVP]
Posted

Re: Auto log in with basic authentication

 

 

"ThatsIT.net.au" <me@thatsit> wrote in message

news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>I will check this out on Monday.

>

> But I can authenticate using LAN cable, but not though card.

>

 

I missed that piece of info.

So much fir cliebt settings.

You are likely dealing with ports disallowed via

the wireless access points' routing then.

> ill get back to you on Monday if you are still around

>

> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>> Remember that use of integrate authentication behind the scenes is

>> not just a matter of whether the website is configured to negotiate

>> its use. The browsing client (i.e. IE) must also be configured to

>> allow its use (in the Internet Options on the Advanced tab) and the

>> site must be recognized as one with which it will attempt is use

>> (usually that mean recognizing the site as being in the intranet

>> zone).

>>

>> Roger

>>

>>

>> "ThatsIT.net.au" <me@thatsit> wrote in message

>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>> Actually I think I spoke too soon.

>>>

>>> we have some laptops that need to connect though PC mobile phone cards.

>>> for some reason I'm not sure they do not seem to want to connect to the

>>> web site with intergraded security, I think this is what happened last

>>> time I choose this configuration. I don't have one with me at the moment

>>> I would have to wait till Monday to find out for sure.

>>>

>>> This brings up another question. why wont the laptop's authenticate with

>>> windows authentication when connecting with pc mobile phone cards?

>>>

>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>

>>>> <jwgoerlich@gmail.com> wrote in message

>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>> There is no workaround. The automatic login option in IE works with

>>>>> integrated authentication only. This is because basic authentication

>>>>> exposes the password (at both the network and application layers).

>>>>> Prompting the user is meant as an additional security precaution to

>>>>> address this exposure.

>>>>>

>>>>> Can you enable both integrated and basic authentication on this

>>>>> intranet site?

>>>>>

>>>>

>>>>

>>>> I think i did try that combination before, i will try again,

>>>>

>>>> sorry just tried it seems to be working.

>>>>

>>>>

>>>>> Regards,

>>>>>

>>>>> J Wolfgang Goerlich

>>>>>

>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>> I am currently setting up a intranet that will not be available from

>>>>>> outside

>>>>>> the network, also a extranet that will be available from outside the

>>>>>> network.

>>>>>> The extranet has basic authentication and SSL. it passes though a ISA

>>>>>> 2000

>>>>>> firewall and for various reasons we need to use basic authentication,

>>>>>> but as

>>>>>> it is over SSL it is encrypted so it does not matter that basic uses

>>>>>> clear

>>>>>> text.

>>>>>> Certain pages that need to be accessed from outside I will put on the

>>>>>> extranet but I don't want to have to recreate these pages on the

>>>>>> intranet

>>>>>> also so internal users will access these pages from the extranet.

>>>>>> All seems fine but one point. when internal users access the extranet

>>>>>> they

>>>>>> are prompted to log in, even though their browsers are set to log in

>>>>>> automatically with current username and password. this is annoying to

>>>>>> say

>>>>>> the least.

>>>>>> Is there any solution?

>>>>>> Is this normal for basic over SSL to prompt even when set to auto

>>>>>> login in

>>>>>> IE?

>>>>>> any suggestions

>>>>>

>>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

>

Guest ThatsIT.net.au
Posted

Re: Auto log in with basic authentication

 

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>

> "ThatsIT.net.au" <me@thatsit> wrote in message

> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>I will check this out on Monday.

>>

>> But I can authenticate using LAN cable, but not though card.

>>

>

> I missed that piece of info.

> So much fir cliebt settings.

> You are likely dealing with ports disallowed via

> the wireless access points' routing then.

 

Its not your normal wireless, its a mobile phone card for a laptop. You

connect though a mobile phone tower

http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

 

but your point probably still applies.

 

 

 

>

>> ill get back to you on Monday if you are still around

>>

>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>> Remember that use of integrate authentication behind the scenes is

>>> not just a matter of whether the website is configured to negotiate

>>> its use. The browsing client (i.e. IE) must also be configured to

>>> allow its use (in the Internet Options on the Advanced tab) and the

>>> site must be recognized as one with which it will attempt is use

>>> (usually that mean recognizing the site as being in the intranet

>>> zone).

>>>

>>> Roger

>>>

>>>

>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>> Actually I think I spoke too soon.

>>>>

>>>> we have some laptops that need to connect though PC mobile phone cards.

>>>> for some reason I'm not sure they do not seem to want to connect to the

>>>> web site with intergraded security, I think this is what happened last

>>>> time I choose this configuration. I don't have one with me at the

>>>> moment I would have to wait till Monday to find out for sure.

>>>>

>>>> This brings up another question. why wont the laptop's authenticate

>>>> with windows authentication when connecting with pc mobile phone cards?

>>>>

>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>

>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>> There is no workaround. The automatic login option in IE works with

>>>>>> integrated authentication only. This is because basic authentication

>>>>>> exposes the password (at both the network and application layers).

>>>>>> Prompting the user is meant as an additional security precaution to

>>>>>> address this exposure.

>>>>>>

>>>>>> Can you enable both integrated and basic authentication on this

>>>>>> intranet site?

>>>>>>

>>>>>

>>>>>

>>>>> I think i did try that combination before, i will try again,

>>>>>

>>>>> sorry just tried it seems to be working.

>>>>>

>>>>>

>>>>>> Regards,

>>>>>>

>>>>>> J Wolfgang Goerlich

>>>>>>

>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>> I am currently setting up a intranet that will not be available from

>>>>>>> outside

>>>>>>> the network, also a extranet that will be available from outside the

>>>>>>> network.

>>>>>>> The extranet has basic authentication and SSL. it passes though a

>>>>>>> ISA 2000

>>>>>>> firewall and for various reasons we need to use basic

>>>>>>> authentication, but as

>>>>>>> it is over SSL it is encrypted so it does not matter that basic uses

>>>>>>> clear

>>>>>>> text.

>>>>>>> Certain pages that need to be accessed from outside I will put on

>>>>>>> the

>>>>>>> extranet but I don't want to have to recreate these pages on the

>>>>>>> intranet

>>>>>>> also so internal users will access these pages from the extranet.

>>>>>>> All seems fine but one point. when internal users access the

>>>>>>> extranet they

>>>>>>> are prompted to log in, even though their browsers are set to log in

>>>>>>> automatically with current username and password. this is annoying

>>>>>>> to say

>>>>>>> the least.

>>>>>>> Is there any solution?

>>>>>>> Is this normal for basic over SSL to prompt even when set to auto

>>>>>>> login in

>>>>>>> IE?

>>>>>>> any suggestions

>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

>

Guest Ken Schaefer
Posted

Re: Auto log in with basic authentication

 

IN order of transparent auto-login to work with IE, all the following

conditions must be satisfied. It's not just a matter of configuring

something on the server:

http://support.microsoft.com/?id=258063

 

Cheers

Ken

 

"ThatsIT.net.au" <me@thatsit> wrote in message

news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>

> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>

>> "ThatsIT.net.au" <me@thatsit> wrote in message

>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>I will check this out on Monday.

>>>

>>> But I can authenticate using LAN cable, but not though card.

>>>

>>

>> I missed that piece of info.

>> So much fir cliebt settings.

>> You are likely dealing with ports disallowed via

>> the wireless access points' routing then.

>

> Its not your normal wireless, its a mobile phone card for a laptop. You

> connect though a mobile phone tower

> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>

> but your point probably still applies.

>

>

>

>

>>

>>> ill get back to you on Monday if you are still around

>>>

>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>> Remember that use of integrate authentication behind the scenes is

>>>> not just a matter of whether the website is configured to negotiate

>>>> its use. The browsing client (i.e. IE) must also be configured to

>>>> allow its use (in the Internet Options on the Advanced tab) and the

>>>> site must be recognized as one with which it will attempt is use

>>>> (usually that mean recognizing the site as being in the intranet

>>>> zone).

>>>>

>>>> Roger

>>>>

>>>>

>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>> Actually I think I spoke too soon.

>>>>>

>>>>> we have some laptops that need to connect though PC mobile phone

>>>>> cards. for some reason I'm not sure they do not seem to want to

>>>>> connect to the web site with intergraded security, I think this is

>>>>> what happened last time I choose this configuration. I don't have one

>>>>> with me at the moment I would have to wait till Monday to find out for

>>>>> sure.

>>>>>

>>>>> This brings up another question. why wont the laptop's authenticate

>>>>> with windows authentication when connecting with pc mobile phone

>>>>> cards?

>>>>>

>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>

>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>> There is no workaround. The automatic login option in IE works with

>>>>>>> integrated authentication only. This is because basic authentication

>>>>>>> exposes the password (at both the network and application layers).

>>>>>>> Prompting the user is meant as an additional security precaution to

>>>>>>> address this exposure.

>>>>>>>

>>>>>>> Can you enable both integrated and basic authentication on this

>>>>>>> intranet site?

>>>>>>>

>>>>>>

>>>>>>

>>>>>> I think i did try that combination before, i will try again,

>>>>>>

>>>>>> sorry just tried it seems to be working.

>>>>>>

>>>>>>

>>>>>>> Regards,

>>>>>>>

>>>>>>> J Wolfgang Goerlich

>>>>>>>

>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>> I am currently setting up a intranet that will not be available

>>>>>>>> from outside

>>>>>>>> the network, also a extranet that will be available from outside

>>>>>>>> the

>>>>>>>> network.

>>>>>>>> The extranet has basic authentication and SSL. it passes though a

>>>>>>>> ISA 2000

>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>> authentication, but as

>>>>>>>> it is over SSL it is encrypted so it does not matter that basic

>>>>>>>> uses clear

>>>>>>>> text.

>>>>>>>> Certain pages that need to be accessed from outside I will put on

>>>>>>>> the

>>>>>>>> extranet but I don't want to have to recreate these pages on the

>>>>>>>> intranet

>>>>>>>> also so internal users will access these pages from the extranet.

>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>> extranet they

>>>>>>>> are prompted to log in, even though their browsers are set to log

>>>>>>>> in

>>>>>>>> automatically with current username and password. this is annoying

>>>>>>>> to say

>>>>>>>> the least.

>>>>>>>> Is there any solution?

>>>>>>>> Is this normal for basic over SSL to prompt even when set to auto

>>>>>>>> login in

>>>>>>>> IE?

>>>>>>>> any suggestions

>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

>

Guest Roger Abell [MVP]
Posted

Re: Auto log in with basic authentication

 

Nice KB Ken, which I had overlooked previously. Thanks.

 

Given poster can access as expected with direct wire, and

that issue is when using public provider, it sounds to me that

it is not a configuration issue on poster's part, client or server,

but with port protocols supported over that air-linked network.

 

Roger

 

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

> IN order of transparent auto-login to work with IE, all the following

> conditions must be satisfied. It's not just a matter of configuring

> something on the server:

> http://support.microsoft.com/?id=258063

>

> Cheers

> Ken

>

> "ThatsIT.net.au" <me@thatsit> wrote in message

> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>

>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>

>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>I will check this out on Monday.

>>>>

>>>> But I can authenticate using LAN cable, but not though card.

>>>>

>>>

>>> I missed that piece of info.

>>> So much fir cliebt settings.

>>> You are likely dealing with ports disallowed via

>>> the wireless access points' routing then.

>>

>> Its not your normal wireless, its a mobile phone card for a laptop. You

>> connect though a mobile phone tower

>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>

>> but your point probably still applies.

>>

>>

>>

>>

>>>

>>>> ill get back to you on Monday if you are still around

>>>>

>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>> Remember that use of integrate authentication behind the scenes is

>>>>> not just a matter of whether the website is configured to negotiate

>>>>> its use. The browsing client (i.e. IE) must also be configured to

>>>>> allow its use (in the Internet Options on the Advanced tab) and the

>>>>> site must be recognized as one with which it will attempt is use

>>>>> (usually that mean recognizing the site as being in the intranet

>>>>> zone).

>>>>>

>>>>> Roger

>>>>>

>>>>>

>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>> Actually I think I spoke too soon.

>>>>>>

>>>>>> we have some laptops that need to connect though PC mobile phone

>>>>>> cards. for some reason I'm not sure they do not seem to want to

>>>>>> connect to the web site with intergraded security, I think this is

>>>>>> what happened last time I choose this configuration. I don't have one

>>>>>> with me at the moment I would have to wait till Monday to find out

>>>>>> for sure.

>>>>>>

>>>>>> This brings up another question. why wont the laptop's authenticate

>>>>>> with windows authentication when connecting with pc mobile phone

>>>>>> cards?

>>>>>>

>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>

>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>> There is no workaround. The automatic login option in IE works with

>>>>>>>> integrated authentication only. This is because basic

>>>>>>>> authentication

>>>>>>>> exposes the password (at both the network and application layers).

>>>>>>>> Prompting the user is meant as an additional security precaution to

>>>>>>>> address this exposure.

>>>>>>>>

>>>>>>>> Can you enable both integrated and basic authentication on this

>>>>>>>> intranet site?

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>

>>>>>>> sorry just tried it seems to be working.

>>>>>>>

>>>>>>>

>>>>>>>> Regards,

>>>>>>>>

>>>>>>>> J Wolfgang Goerlich

>>>>>>>>

>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>> I am currently setting up a intranet that will not be available

>>>>>>>>> from outside

>>>>>>>>> the network, also a extranet that will be available from outside

>>>>>>>>> the

>>>>>>>>> network.

>>>>>>>>> The extranet has basic authentication and SSL. it passes though a

>>>>>>>>> ISA 2000

>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>> authentication, but as

>>>>>>>>> it is over SSL it is encrypted so it does not matter that basic

>>>>>>>>> uses clear

>>>>>>>>> text.

>>>>>>>>> Certain pages that need to be accessed from outside I will put on

>>>>>>>>> the

>>>>>>>>> extranet but I don't want to have to recreate these pages on the

>>>>>>>>> intranet

>>>>>>>>> also so internal users will access these pages from the extranet.

>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>> extranet they

>>>>>>>>> are prompted to log in, even though their browsers are set to log

>>>>>>>>> in

>>>>>>>>> automatically with current username and password. this is annoying

>>>>>>>>> to say

>>>>>>>>> the least.

>>>>>>>>> Is there any solution?

>>>>>>>>> Is this normal for basic over SSL to prompt even when set to auto

>>>>>>>>> login in

>>>>>>>>> IE?

>>>>>>>>> any suggestions

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

Guest ThatsIT.net.au
Posted

Re: Auto log in with basic authentication

 

Thanks for that, much clearer now

 

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

> IN order of transparent auto-login to work with IE, all the following

> conditions must be satisfied. It's not just a matter of configuring

> something on the server:

> http://support.microsoft.com/?id=258063

>

> Cheers

> Ken

>

> "ThatsIT.net.au" <me@thatsit> wrote in message

> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>

>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>

>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>I will check this out on Monday.

>>>>

>>>> But I can authenticate using LAN cable, but not though card.

>>>>

>>>

>>> I missed that piece of info.

>>> So much fir cliebt settings.

>>> You are likely dealing with ports disallowed via

>>> the wireless access points' routing then.

>>

>> Its not your normal wireless, its a mobile phone card for a laptop. You

>> connect though a mobile phone tower

>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>

>> but your point probably still applies.

>>

>>

>>

>>

>>>

>>>> ill get back to you on Monday if you are still around

>>>>

>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>> Remember that use of integrate authentication behind the scenes is

>>>>> not just a matter of whether the website is configured to negotiate

>>>>> its use. The browsing client (i.e. IE) must also be configured to

>>>>> allow its use (in the Internet Options on the Advanced tab) and the

>>>>> site must be recognized as one with which it will attempt is use

>>>>> (usually that mean recognizing the site as being in the intranet

>>>>> zone).

>>>>>

>>>>> Roger

>>>>>

>>>>>

>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>> Actually I think I spoke too soon.

>>>>>>

>>>>>> we have some laptops that need to connect though PC mobile phone

>>>>>> cards. for some reason I'm not sure they do not seem to want to

>>>>>> connect to the web site with intergraded security, I think this is

>>>>>> what happened last time I choose this configuration. I don't have one

>>>>>> with me at the moment I would have to wait till Monday to find out

>>>>>> for sure.

>>>>>>

>>>>>> This brings up another question. why wont the laptop's authenticate

>>>>>> with windows authentication when connecting with pc mobile phone

>>>>>> cards?

>>>>>>

>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>

>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>> There is no workaround. The automatic login option in IE works with

>>>>>>>> integrated authentication only. This is because basic

>>>>>>>> authentication

>>>>>>>> exposes the password (at both the network and application layers).

>>>>>>>> Prompting the user is meant as an additional security precaution to

>>>>>>>> address this exposure.

>>>>>>>>

>>>>>>>> Can you enable both integrated and basic authentication on this

>>>>>>>> intranet site?

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>

>>>>>>> sorry just tried it seems to be working.

>>>>>>>

>>>>>>>

>>>>>>>> Regards,

>>>>>>>>

>>>>>>>> J Wolfgang Goerlich

>>>>>>>>

>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>> I am currently setting up a intranet that will not be available

>>>>>>>>> from outside

>>>>>>>>> the network, also a extranet that will be available from outside

>>>>>>>>> the

>>>>>>>>> network.

>>>>>>>>> The extranet has basic authentication and SSL. it passes though a

>>>>>>>>> ISA 2000

>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>> authentication, but as

>>>>>>>>> it is over SSL it is encrypted so it does not matter that basic

>>>>>>>>> uses clear

>>>>>>>>> text.

>>>>>>>>> Certain pages that need to be accessed from outside I will put on

>>>>>>>>> the

>>>>>>>>> extranet but I don't want to have to recreate these pages on the

>>>>>>>>> intranet

>>>>>>>>> also so internal users will access these pages from the extranet.

>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>> extranet they

>>>>>>>>> are prompted to log in, even though their browsers are set to log

>>>>>>>>> in

>>>>>>>>> automatically with current username and password. this is annoying

>>>>>>>>> to say

>>>>>>>>> the least.

>>>>>>>>> Is there any solution?

>>>>>>>>> Is this normal for basic over SSL to prompt even when set to auto

>>>>>>>>> login in

>>>>>>>>> IE?

>>>>>>>>> any suggestions

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>>

>>>

>>>

>>

>>

>

Guest Ken Schaefer
Posted

Re: Auto log in with basic authentication

 

Well, it may be that the server is being accessed as http://servername

internally, and http://servername.domain.com externally (or something like

that), or perhaps it matter of how OP has configured ISA Server.

 

I don't really know about the port issue - unless we're using Kerberos

authentication (and ISA Server would have to be explicity configured for

Kerberos IIRC) then the only port used is 80 (or 443 as OP has SSL enabled).

 

Cheers

Ken

 

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:O%23Cz%23Wh0HHA.484@TK2MSFTNGP06.phx.gbl...

> Nice KB Ken, which I had overlooked previously. Thanks.

>

> Given poster can access as expected with direct wire, and

> that issue is when using public provider, it sounds to me that

> it is not a configuration issue on poster's part, client or server,

> but with port protocols supported over that air-linked network.

>

> Roger

>

> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

> news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

>> IN order of transparent auto-login to work with IE, all the following

>> conditions must be satisfied. It's not just a matter of configuring

>> something on the server:

>> http://support.microsoft.com/?id=258063

>>

>> Cheers

>> Ken

>>

>> "ThatsIT.net.au" <me@thatsit> wrote in message

>> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>>

>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>>

>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>>I will check this out on Monday.

>>>>>

>>>>> But I can authenticate using LAN cable, but not though card.

>>>>>

>>>>

>>>> I missed that piece of info.

>>>> So much fir cliebt settings.

>>>> You are likely dealing with ports disallowed via

>>>> the wireless access points' routing then.

>>>

>>> Its not your normal wireless, its a mobile phone card for a laptop. You

>>> connect though a mobile phone tower

>>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>>

>>> but your point probably still applies.

>>>

>>>

>>>

>>>

>>>>

>>>>> ill get back to you on Monday if you are still around

>>>>>

>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>>> Remember that use of integrate authentication behind the scenes is

>>>>>> not just a matter of whether the website is configured to negotiate

>>>>>> its use. The browsing client (i.e. IE) must also be configured to

>>>>>> allow its use (in the Internet Options on the Advanced tab) and the

>>>>>> site must be recognized as one with which it will attempt is use

>>>>>> (usually that mean recognizing the site as being in the intranet

>>>>>> zone).

>>>>>>

>>>>>> Roger

>>>>>>

>>>>>>

>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>>> Actually I think I spoke too soon.

>>>>>>>

>>>>>>> we have some laptops that need to connect though PC mobile phone

>>>>>>> cards. for some reason I'm not sure they do not seem to want to

>>>>>>> connect to the web site with intergraded security, I think this is

>>>>>>> what happened last time I choose this configuration. I don't have

>>>>>>> one with me at the moment I would have to wait till Monday to find

>>>>>>> out for sure.

>>>>>>>

>>>>>>> This brings up another question. why wont the laptop's authenticate

>>>>>>> with windows authentication when connecting with pc mobile phone

>>>>>>> cards?

>>>>>>>

>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>>

>>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>>> There is no workaround. The automatic login option in IE works

>>>>>>>>> with

>>>>>>>>> integrated authentication only. This is because basic

>>>>>>>>> authentication

>>>>>>>>> exposes the password (at both the network and application layers).

>>>>>>>>> Prompting the user is meant as an additional security precaution

>>>>>>>>> to

>>>>>>>>> address this exposure.

>>>>>>>>>

>>>>>>>>> Can you enable both integrated and basic authentication on this

>>>>>>>>> intranet site?

>>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>>

>>>>>>>> sorry just tried it seems to be working.

>>>>>>>>

>>>>>>>>

>>>>>>>>> Regards,

>>>>>>>>>

>>>>>>>>> J Wolfgang Goerlich

>>>>>>>>>

>>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>>> I am currently setting up a intranet that will not be available

>>>>>>>>>> from outside

>>>>>>>>>> the network, also a extranet that will be available from outside

>>>>>>>>>> the

>>>>>>>>>> network.

>>>>>>>>>> The extranet has basic authentication and SSL. it passes though a

>>>>>>>>>> ISA 2000

>>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>>> authentication, but as

>>>>>>>>>> it is over SSL it is encrypted so it does not matter that basic

>>>>>>>>>> uses clear

>>>>>>>>>> text.

>>>>>>>>>> Certain pages that need to be accessed from outside I will put on

>>>>>>>>>> the

>>>>>>>>>> extranet but I don't want to have to recreate these pages on the

>>>>>>>>>> intranet

>>>>>>>>>> also so internal users will access these pages from the extranet.

>>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>>> extranet they

>>>>>>>>>> are prompted to log in, even though their browsers are set to log

>>>>>>>>>> in

>>>>>>>>>> automatically with current username and password. this is

>>>>>>>>>> annoying to say

>>>>>>>>>> the least.

>>>>>>>>>> Is there any solution?

>>>>>>>>>> Is this normal for basic over SSL to prompt even when set to auto

>>>>>>>>>> login in

>>>>>>>>>> IE?

>>>>>>>>>> any suggestions

>>>>>>>>>

>>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>>

>>>

>>>

>>

>

>

Guest Roger Abell [MVP]
Posted

Re: Auto log in with basic authentication

 

Yes, some unknowns here. I was thinking OS would not try to

use Kerberos due to external name not matchine DNS domain

of AD, so trying NTLM; and also assuming a public provider of

this air-link filtering out NetBt based ports - resulting in authN

falling back to basic.

 

Roger

 

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

news:%23k88fgk0HHA.3400@TK2MSFTNGP03.phx.gbl...

> Well, it may be that the server is being accessed as http://servername

> internally, and http://servername.domain.com externally (or something like

> that), or perhaps it matter of how OP has configured ISA Server.

>

> I don't really know about the port issue - unless we're using Kerberos

> authentication (and ISA Server would have to be explicity configured for

> Kerberos IIRC) then the only port used is 80 (or 443 as OP has SSL

> enabled).

>

> Cheers

> Ken

>

>

> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

> news:O%23Cz%23Wh0HHA.484@TK2MSFTNGP06.phx.gbl...

>> Nice KB Ken, which I had overlooked previously. Thanks.

>>

>> Given poster can access as expected with direct wire, and

>> that issue is when using public provider, it sounds to me that

>> it is not a configuration issue on poster's part, client or server,

>> but with port protocols supported over that air-linked network.

>>

>> Roger

>>

>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>> news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

>>> IN order of transparent auto-login to work with IE, all the following

>>> conditions must be satisfied. It's not just a matter of configuring

>>> something on the server:

>>> http://support.microsoft.com/?id=258063

>>>

>>> Cheers

>>> Ken

>>>

>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>>>

>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>>>

>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>>>I will check this out on Monday.

>>>>>>

>>>>>> But I can authenticate using LAN cable, but not though card.

>>>>>>

>>>>>

>>>>> I missed that piece of info.

>>>>> So much fir cliebt settings.

>>>>> You are likely dealing with ports disallowed via

>>>>> the wireless access points' routing then.

>>>>

>>>> Its not your normal wireless, its a mobile phone card for a laptop. You

>>>> connect though a mobile phone tower

>>>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>>>

>>>> but your point probably still applies.

>>>>

>>>>

>>>>

>>>>

>>>>>

>>>>>> ill get back to you on Monday if you are still around

>>>>>>

>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>>>> Remember that use of integrate authentication behind the scenes is

>>>>>>> not just a matter of whether the website is configured to negotiate

>>>>>>> its use. The browsing client (i.e. IE) must also be configured to

>>>>>>> allow its use (in the Internet Options on the Advanced tab) and the

>>>>>>> site must be recognized as one with which it will attempt is use

>>>>>>> (usually that mean recognizing the site as being in the intranet

>>>>>>> zone).

>>>>>>>

>>>>>>> Roger

>>>>>>>

>>>>>>>

>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>>>> Actually I think I spoke too soon.

>>>>>>>>

>>>>>>>> we have some laptops that need to connect though PC mobile phone

>>>>>>>> cards. for some reason I'm not sure they do not seem to want to

>>>>>>>> connect to the web site with intergraded security, I think this is

>>>>>>>> what happened last time I choose this configuration. I don't have

>>>>>>>> one with me at the moment I would have to wait till Monday to find

>>>>>>>> out for sure.

>>>>>>>>

>>>>>>>> This brings up another question. why wont the laptop's authenticate

>>>>>>>> with windows authentication when connecting with pc mobile phone

>>>>>>>> cards?

>>>>>>>>

>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>>>

>>>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>>>> There is no workaround. The automatic login option in IE works

>>>>>>>>>> with

>>>>>>>>>> integrated authentication only. This is because basic

>>>>>>>>>> authentication

>>>>>>>>>> exposes the password (at both the network and application

>>>>>>>>>> layers).

>>>>>>>>>> Prompting the user is meant as an additional security precaution

>>>>>>>>>> to

>>>>>>>>>> address this exposure.

>>>>>>>>>>

>>>>>>>>>> Can you enable both integrated and basic authentication on this

>>>>>>>>>> intranet site?

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>>>

>>>>>>>>> sorry just tried it seems to be working.

>>>>>>>>>

>>>>>>>>>

>>>>>>>>>> Regards,

>>>>>>>>>>

>>>>>>>>>> J Wolfgang Goerlich

>>>>>>>>>>

>>>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>>>> I am currently setting up a intranet that will not be available

>>>>>>>>>>> from outside

>>>>>>>>>>> the network, also a extranet that will be available from outside

>>>>>>>>>>> the

>>>>>>>>>>> network.

>>>>>>>>>>> The extranet has basic authentication and SSL. it passes though

>>>>>>>>>>> a ISA 2000

>>>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>>>> authentication, but as

>>>>>>>>>>> it is over SSL it is encrypted so it does not matter that basic

>>>>>>>>>>> uses clear

>>>>>>>>>>> text.

>>>>>>>>>>> Certain pages that need to be accessed from outside I will put

>>>>>>>>>>> on the

>>>>>>>>>>> extranet but I don't want to have to recreate these pages on the

>>>>>>>>>>> intranet

>>>>>>>>>>> also so internal users will access these pages from the

>>>>>>>>>>> extranet.

>>>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>>>> extranet they

>>>>>>>>>>> are prompted to log in, even though their browsers are set to

>>>>>>>>>>> log in

>>>>>>>>>>> automatically with current username and password. this is

>>>>>>>>>>> annoying to say

>>>>>>>>>>> the least.

>>>>>>>>>>> Is there any solution?

>>>>>>>>>>> Is this normal for basic over SSL to prompt even when set to

>>>>>>>>>>> auto login in

>>>>>>>>>>> IE?

>>>>>>>>>>> any suggestions

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>>

>>>

>>

>>

>

Guest Ken Schaefer
Posted

Re: Auto log in with basic authentication

 

IE does not "fall back" to some other type of authentication.

 

It tries a sinlge type, and if it doesn't work, then authentication fails.

 

NTLM auth from browser to IIS does not rely on NetBT ports - it all works

over port 80 (or 443)

 

Cheers

Ken

 

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:OcdPi3q0HHA.5380@TK2MSFTNGP04.phx.gbl...

> Yes, some unknowns here. I was thinking OS would not try to

> use Kerberos due to external name not matchine DNS domain

> of AD, so trying NTLM; and also assuming a public provider of

> this air-link filtering out NetBt based ports - resulting in authN

> falling back to basic.

>

> Roger

>

> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

> news:%23k88fgk0HHA.3400@TK2MSFTNGP03.phx.gbl...

>> Well, it may be that the server is being accessed as http://servername

>> internally, and http://servername.domain.com externally (or something

>> like that), or perhaps it matter of how OP has configured ISA Server.

>>

>> I don't really know about the port issue - unless we're using Kerberos

>> authentication (and ISA Server would have to be explicity configured for

>> Kerberos IIRC) then the only port used is 80 (or 443 as OP has SSL

>> enabled).

>>

>> Cheers

>> Ken

>>

>>

>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>> news:O%23Cz%23Wh0HHA.484@TK2MSFTNGP06.phx.gbl...

>>> Nice KB Ken, which I had overlooked previously. Thanks.

>>>

>>> Given poster can access as expected with direct wire, and

>>> that issue is when using public provider, it sounds to me that

>>> it is not a configuration issue on poster's part, client or server,

>>> but with port protocols supported over that air-linked network.

>>>

>>> Roger

>>>

>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>> news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

>>>> IN order of transparent auto-login to work with IE, all the following

>>>> conditions must be satisfied. It's not just a matter of configuring

>>>> something on the server:

>>>> http://support.microsoft.com/?id=258063

>>>>

>>>> Cheers

>>>> Ken

>>>>

>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>>>>

>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>>>>

>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>>>>I will check this out on Monday.

>>>>>>>

>>>>>>> But I can authenticate using LAN cable, but not though card.

>>>>>>>

>>>>>>

>>>>>> I missed that piece of info.

>>>>>> So much fir cliebt settings.

>>>>>> You are likely dealing with ports disallowed via

>>>>>> the wireless access points' routing then.

>>>>>

>>>>> Its not your normal wireless, its a mobile phone card for a laptop.

>>>>> You connect though a mobile phone tower

>>>>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>>>>

>>>>> but your point probably still applies.

>>>>>

>>>>>

>>>>>

>>>>>

>>>>>>

>>>>>>> ill get back to you on Monday if you are still around

>>>>>>>

>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>>>>> Remember that use of integrate authentication behind the scenes is

>>>>>>>> not just a matter of whether the website is configured to negotiate

>>>>>>>> its use. The browsing client (i.e. IE) must also be configured to

>>>>>>>> allow its use (in the Internet Options on the Advanced tab) and the

>>>>>>>> site must be recognized as one with which it will attempt is use

>>>>>>>> (usually that mean recognizing the site as being in the intranet

>>>>>>>> zone).

>>>>>>>>

>>>>>>>> Roger

>>>>>>>>

>>>>>>>>

>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>>>>> Actually I think I spoke too soon.

>>>>>>>>>

>>>>>>>>> we have some laptops that need to connect though PC mobile phone

>>>>>>>>> cards. for some reason I'm not sure they do not seem to want to

>>>>>>>>> connect to the web site with intergraded security, I think this is

>>>>>>>>> what happened last time I choose this configuration. I don't have

>>>>>>>>> one with me at the moment I would have to wait till Monday to find

>>>>>>>>> out for sure.

>>>>>>>>>

>>>>>>>>> This brings up another question. why wont the laptop's

>>>>>>>>> authenticate with windows authentication when connecting with pc

>>>>>>>>> mobile phone cards?

>>>>>>>>>

>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>>>>

>>>>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>>>>> There is no workaround. The automatic login option in IE works

>>>>>>>>>>> with

>>>>>>>>>>> integrated authentication only. This is because basic

>>>>>>>>>>> authentication

>>>>>>>>>>> exposes the password (at both the network and application

>>>>>>>>>>> layers).

>>>>>>>>>>> Prompting the user is meant as an additional security precaution

>>>>>>>>>>> to

>>>>>>>>>>> address this exposure.

>>>>>>>>>>>

>>>>>>>>>>> Can you enable both integrated and basic authentication on this

>>>>>>>>>>> intranet site?

>>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>>>>

>>>>>>>>>> sorry just tried it seems to be working.

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>> Regards,

>>>>>>>>>>>

>>>>>>>>>>> J Wolfgang Goerlich

>>>>>>>>>>>

>>>>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>>>>> I am currently setting up a intranet that will not be available

>>>>>>>>>>>> from outside

>>>>>>>>>>>> the network, also a extranet that will be available from

>>>>>>>>>>>> outside the

>>>>>>>>>>>> network.

>>>>>>>>>>>> The extranet has basic authentication and SSL. it passes though

>>>>>>>>>>>> a ISA 2000

>>>>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>>>>> authentication, but as

>>>>>>>>>>>> it is over SSL it is encrypted so it does not matter that basic

>>>>>>>>>>>> uses clear

>>>>>>>>>>>> text.

>>>>>>>>>>>> Certain pages that need to be accessed from outside I will put

>>>>>>>>>>>> on the

>>>>>>>>>>>> extranet but I don't want to have to recreate these pages on

>>>>>>>>>>>> the intranet

>>>>>>>>>>>> also so internal users will access these pages from the

>>>>>>>>>>>> extranet.

>>>>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>>>>> extranet they

>>>>>>>>>>>> are prompted to log in, even though their browsers are set to

>>>>>>>>>>>> log in

>>>>>>>>>>>> automatically with current username and password. this is

>>>>>>>>>>>> annoying to say

>>>>>>>>>>>> the least.

>>>>>>>>>>>> Is there any solution?

>>>>>>>>>>>> Is this normal for basic over SSL to prompt even when set to

>>>>>>>>>>>> auto login in

>>>>>>>>>>>> IE?

>>>>>>>>>>>> any suggestions

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>

>>>

>>

>

>

Guest Roger Abell [MVP]
Posted

Re: Auto log in with basic authentication

 

Then I am totally in the dark as to what is happening for this poster.

 

Roger

 

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

news:e2yQ92x0HHA.5644@TK2MSFTNGP05.phx.gbl...

> IE does not "fall back" to some other type of authentication.

>

> It tries a sinlge type, and if it doesn't work, then authentication fails.

>

> NTLM auth from browser to IIS does not rely on NetBT ports - it all works

> over port 80 (or 443)

>

> Cheers

> Ken

>

>

> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

> news:OcdPi3q0HHA.5380@TK2MSFTNGP04.phx.gbl...

>> Yes, some unknowns here. I was thinking OS would not try to

>> use Kerberos due to external name not matchine DNS domain

>> of AD, so trying NTLM; and also assuming a public provider of

>> this air-link filtering out NetBt based ports - resulting in authN

>> falling back to basic.

>>

>> Roger

>>

>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>> news:%23k88fgk0HHA.3400@TK2MSFTNGP03.phx.gbl...

>>> Well, it may be that the server is being accessed as http://servername

>>> internally, and http://servername.domain.com externally (or something

>>> like that), or perhaps it matter of how OP has configured ISA Server.

>>>

>>> I don't really know about the port issue - unless we're using Kerberos

>>> authentication (and ISA Server would have to be explicity configured for

>>> Kerberos IIRC) then the only port used is 80 (or 443 as OP has SSL

>>> enabled).

>>>

>>> Cheers

>>> Ken

>>>

>>>

>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>> news:O%23Cz%23Wh0HHA.484@TK2MSFTNGP06.phx.gbl...

>>>> Nice KB Ken, which I had overlooked previously. Thanks.

>>>>

>>>> Given poster can access as expected with direct wire, and

>>>> that issue is when using public provider, it sounds to me that

>>>> it is not a configuration issue on poster's part, client or server,

>>>> but with port protocols supported over that air-linked network.

>>>>

>>>> Roger

>>>>

>>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>>> news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

>>>>> IN order of transparent auto-login to work with IE, all the following

>>>>> conditions must be satisfied. It's not just a matter of configuring

>>>>> something on the server:

>>>>> http://support.microsoft.com/?id=258063

>>>>>

>>>>> Cheers

>>>>> Ken

>>>>>

>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>>>>>

>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>>>>>

>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>>>>>I will check this out on Monday.

>>>>>>>>

>>>>>>>> But I can authenticate using LAN cable, but not though card.

>>>>>>>>

>>>>>>>

>>>>>>> I missed that piece of info.

>>>>>>> So much fir cliebt settings.

>>>>>>> You are likely dealing with ports disallowed via

>>>>>>> the wireless access points' routing then.

>>>>>>

>>>>>> Its not your normal wireless, its a mobile phone card for a laptop.

>>>>>> You connect though a mobile phone tower

>>>>>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>>>>>

>>>>>> but your point probably still applies.

>>>>>>

>>>>>>

>>>>>>

>>>>>>

>>>>>>>

>>>>>>>> ill get back to you on Monday if you are still around

>>>>>>>>

>>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>>>>>> Remember that use of integrate authentication behind the scenes is

>>>>>>>>> not just a matter of whether the website is configured to

>>>>>>>>> negotiate

>>>>>>>>> its use. The browsing client (i.e. IE) must also be configured to

>>>>>>>>> allow its use (in the Internet Options on the Advanced tab) and

>>>>>>>>> the

>>>>>>>>> site must be recognized as one with which it will attempt is use

>>>>>>>>> (usually that mean recognizing the site as being in the intranet

>>>>>>>>> zone).

>>>>>>>>>

>>>>>>>>> Roger

>>>>>>>>>

>>>>>>>>>

>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>>>>>> Actually I think I spoke too soon.

>>>>>>>>>>

>>>>>>>>>> we have some laptops that need to connect though PC mobile phone

>>>>>>>>>> cards. for some reason I'm not sure they do not seem to want to

>>>>>>>>>> connect to the web site with intergraded security, I think this

>>>>>>>>>> is what happened last time I choose this configuration. I don't

>>>>>>>>>> have one with me at the moment I would have to wait till Monday

>>>>>>>>>> to find out for sure.

>>>>>>>>>>

>>>>>>>>>> This brings up another question. why wont the laptop's

>>>>>>>>>> authenticate with windows authentication when connecting with pc

>>>>>>>>>> mobile phone cards?

>>>>>>>>>>

>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>>>>>

>>>>>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>>>>>> There is no workaround. The automatic login option in IE works

>>>>>>>>>>>> with

>>>>>>>>>>>> integrated authentication only. This is because basic

>>>>>>>>>>>> authentication

>>>>>>>>>>>> exposes the password (at both the network and application

>>>>>>>>>>>> layers).

>>>>>>>>>>>> Prompting the user is meant as an additional security

>>>>>>>>>>>> precaution to

>>>>>>>>>>>> address this exposure.

>>>>>>>>>>>>

>>>>>>>>>>>> Can you enable both integrated and basic authentication on this

>>>>>>>>>>>> intranet site?

>>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>>>>>

>>>>>>>>>>> sorry just tried it seems to be working.

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>>> Regards,

>>>>>>>>>>>>

>>>>>>>>>>>> J Wolfgang Goerlich

>>>>>>>>>>>>

>>>>>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>>>>>> I am currently setting up a intranet that will not be

>>>>>>>>>>>>> available from outside

>>>>>>>>>>>>> the network, also a extranet that will be available from

>>>>>>>>>>>>> outside the

>>>>>>>>>>>>> network.

>>>>>>>>>>>>> The extranet has basic authentication and SSL. it passes

>>>>>>>>>>>>> though a ISA 2000

>>>>>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>>>>>> authentication, but as

>>>>>>>>>>>>> it is over SSL it is encrypted so it does not matter that

>>>>>>>>>>>>> basic uses clear

>>>>>>>>>>>>> text.

>>>>>>>>>>>>> Certain pages that need to be accessed from outside I will put

>>>>>>>>>>>>> on the

>>>>>>>>>>>>> extranet but I don't want to have to recreate these pages on

>>>>>>>>>>>>> the intranet

>>>>>>>>>>>>> also so internal users will access these pages from the

>>>>>>>>>>>>> extranet.

>>>>>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>>>>>> extranet they

>>>>>>>>>>>>> are prompted to log in, even though their browsers are set to

>>>>>>>>>>>>> log in

>>>>>>>>>>>>> automatically with current username and password. this is

>>>>>>>>>>>>> annoying to say

>>>>>>>>>>>>> the least.

>>>>>>>>>>>>> Is there any solution?

>>>>>>>>>>>>> Is this normal for basic over SSL to prompt even when set to

>>>>>>>>>>>>> auto login in

>>>>>>>>>>>>> IE?

>>>>>>>>>>>>> any suggestions

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>

>>>>

>>>

>>

>>

>

Guest ThatsIT.net.au
Posted

Re: Auto log in with basic authentication

 

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:%23WDrHI00HHA.4824@TK2MSFTNGP02.phx.gbl...

> Then I am totally in the dark as to what is happening for this poster.

>

> Roger

 

what I did was enabled both integrated and basic authentication, but this

did not work as it seems that the laptops were trying to use integrated and

failing, I assumed that they would fail and then try basic, but this did not

seem to happen. So I disabled integrated authentication from the IE advanced

options and it all seems to work. I did a bit of reading into the mobile PC

cards we are using on the laptops and they have some sort of compression

software to save on downloads I assume that this is making integrated

authentication fail. I am trying to get them to disable it(as I read you can

have done) but they haven't called me back yet.

 

So the scenario I have now is both Integrated Authentication and Basic

authentication. The clients on the network login automatically with

integrated and the mobile OC card laptops have integrated disabled and use

basic over ssl. Seems to be working well.

 

 

>

> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

> news:e2yQ92x0HHA.5644@TK2MSFTNGP05.phx.gbl...

>> IE does not "fall back" to some other type of authentication.

>>

>> It tries a sinlge type, and if it doesn't work, then authentication

>> fails.

>>

>> NTLM auth from browser to IIS does not rely on NetBT ports - it all works

>> over port 80 (or 443)

>>

>> Cheers

>> Ken

>>

>>

>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>> news:OcdPi3q0HHA.5380@TK2MSFTNGP04.phx.gbl...

>>> Yes, some unknowns here. I was thinking OS would not try to

>>> use Kerberos due to external name not matchine DNS domain

>>> of AD, so trying NTLM; and also assuming a public provider of

>>> this air-link filtering out NetBt based ports - resulting in authN

>>> falling back to basic.

>>>

>>> Roger

>>>

>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>> news:%23k88fgk0HHA.3400@TK2MSFTNGP03.phx.gbl...

>>>> Well, it may be that the server is being accessed as http://servername

>>>> internally, and http://servername.domain.com externally (or something

>>>> like that), or perhaps it matter of how OP has configured ISA Server.

>>>>

>>>> I don't really know about the port issue - unless we're using Kerberos

>>>> authentication (and ISA Server would have to be explicity configured

>>>> for Kerberos IIRC) then the only port used is 80 (or 443 as OP has SSL

>>>> enabled).

>>>>

>>>> Cheers

>>>> Ken

>>>>

>>>>

>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>> news:O%23Cz%23Wh0HHA.484@TK2MSFTNGP06.phx.gbl...

>>>>> Nice KB Ken, which I had overlooked previously. Thanks.

>>>>>

>>>>> Given poster can access as expected with direct wire, and

>>>>> that issue is when using public provider, it sounds to me that

>>>>> it is not a configuration issue on poster's part, client or server,

>>>>> but with port protocols supported over that air-linked network.

>>>>>

>>>>> Roger

>>>>>

>>>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>>>> news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

>>>>>> IN order of transparent auto-login to work with IE, all the following

>>>>>> conditions must be satisfied. It's not just a matter of configuring

>>>>>> something on the server:

>>>>>> http://support.microsoft.com/?id=258063

>>>>>>

>>>>>> Cheers

>>>>>> Ken

>>>>>>

>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>>>>>>

>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>>>>>>

>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>>>>>>I will check this out on Monday.

>>>>>>>>>

>>>>>>>>> But I can authenticate using LAN cable, but not though card.

>>>>>>>>>

>>>>>>>>

>>>>>>>> I missed that piece of info.

>>>>>>>> So much fir cliebt settings.

>>>>>>>> You are likely dealing with ports disallowed via

>>>>>>>> the wireless access points' routing then.

>>>>>>>

>>>>>>> Its not your normal wireless, its a mobile phone card for a laptop.

>>>>>>> You connect though a mobile phone tower

>>>>>>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>>>>>>

>>>>>>> but your point probably still applies.

>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>>>

>>>>>>>>> ill get back to you on Monday if you are still around

>>>>>>>>>

>>>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>>>>>>> Remember that use of integrate authentication behind the scenes

>>>>>>>>>> is

>>>>>>>>>> not just a matter of whether the website is configured to

>>>>>>>>>> negotiate

>>>>>>>>>> its use. The browsing client (i.e. IE) must also be configured

>>>>>>>>>> to

>>>>>>>>>> allow its use (in the Internet Options on the Advanced tab) and

>>>>>>>>>> the

>>>>>>>>>> site must be recognized as one with which it will attempt is use

>>>>>>>>>> (usually that mean recognizing the site as being in the intranet

>>>>>>>>>> zone).

>>>>>>>>>>

>>>>>>>>>> Roger

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>>>>>>> Actually I think I spoke too soon.

>>>>>>>>>>>

>>>>>>>>>>> we have some laptops that need to connect though PC mobile phone

>>>>>>>>>>> cards. for some reason I'm not sure they do not seem to want to

>>>>>>>>>>> connect to the web site with intergraded security, I think this

>>>>>>>>>>> is what happened last time I choose this configuration. I don't

>>>>>>>>>>> have one with me at the moment I would have to wait till Monday

>>>>>>>>>>> to find out for sure.

>>>>>>>>>>>

>>>>>>>>>>> This brings up another question. why wont the laptop's

>>>>>>>>>>> authenticate with windows authentication when connecting with pc

>>>>>>>>>>> mobile phone cards?

>>>>>>>>>>>

>>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>>>>>>

>>>>>>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>>>>>>> There is no workaround. The automatic login option in IE works

>>>>>>>>>>>>> with

>>>>>>>>>>>>> integrated authentication only. This is because basic

>>>>>>>>>>>>> authentication

>>>>>>>>>>>>> exposes the password (at both the network and application

>>>>>>>>>>>>> layers).

>>>>>>>>>>>>> Prompting the user is meant as an additional security

>>>>>>>>>>>>> precaution to

>>>>>>>>>>>>> address this exposure.

>>>>>>>>>>>>>

>>>>>>>>>>>>> Can you enable both integrated and basic authentication on

>>>>>>>>>>>>> this

>>>>>>>>>>>>> intranet site?

>>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>>>>>>

>>>>>>>>>>>> sorry just tried it seems to be working.

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>>> Regards,

>>>>>>>>>>>>>

>>>>>>>>>>>>> J Wolfgang Goerlich

>>>>>>>>>>>>>

>>>>>>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>>>>>>> I am currently setting up a intranet that will not be

>>>>>>>>>>>>>> available from outside

>>>>>>>>>>>>>> the network, also a extranet that will be available from

>>>>>>>>>>>>>> outside the

>>>>>>>>>>>>>> network.

>>>>>>>>>>>>>> The extranet has basic authentication and SSL. it passes

>>>>>>>>>>>>>> though a ISA 2000

>>>>>>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>>>>>>> authentication, but as

>>>>>>>>>>>>>> it is over SSL it is encrypted so it does not matter that

>>>>>>>>>>>>>> basic uses clear

>>>>>>>>>>>>>> text.

>>>>>>>>>>>>>> Certain pages that need to be accessed from outside I will

>>>>>>>>>>>>>> put on the

>>>>>>>>>>>>>> extranet but I don't want to have to recreate these pages on

>>>>>>>>>>>>>> the intranet

>>>>>>>>>>>>>> also so internal users will access these pages from the

>>>>>>>>>>>>>> extranet.

>>>>>>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>>>>>>> extranet they

>>>>>>>>>>>>>> are prompted to log in, even though their browsers are set to

>>>>>>>>>>>>>> log in

>>>>>>>>>>>>>> automatically with current username and password. this is

>>>>>>>>>>>>>> annoying to say

>>>>>>>>>>>>>> the least.

>>>>>>>>>>>>>> Is there any solution?

>>>>>>>>>>>>>> Is this normal for basic over SSL to prompt even when set to

>>>>>>>>>>>>>> auto login in

>>>>>>>>>>>>>> IE?

>>>>>>>>>>>>>> any suggestions

>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>

>>>

>>

>

>

Guest Ken Schaefer
Posted

Re: Auto log in with basic authentication

 

Integrated Windows Authentication (IWA) is actually two possible authN

mechanisms: NTLM and Kerberos.

 

NTLM doesn't work through most forward proxies, which may be why your AuthN

is failing (the service's compression proxy that you are using). Or, if the

client thinks the site is in the Intranet security zone, it may attempt

Kerberos AuthN, but Kerberos AuthN requires access to a KDC (i.e. one of

your internal domain controllers), which is probably also not going to work.

 

Cheers

Ken

 

"ThatsIT.net.au" <me@thatsit> wrote in message

news:%23lD1cN40HHA.5380@TK2MSFTNGP04.phx.gbl...

>

> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

> news:%23WDrHI00HHA.4824@TK2MSFTNGP02.phx.gbl...

>> Then I am totally in the dark as to what is happening for this poster.

>>

>> Roger

>

> what I did was enabled both integrated and basic authentication, but this

> did not work as it seems that the laptops were trying to use integrated

> and failing, I assumed that they would fail and then try basic, but this

> did not seem to happen. So I disabled integrated authentication from the

> IE advanced options and it all seems to work. I did a bit of reading into

> the mobile PC cards we are using on the laptops and they have some sort of

> compression software to save on downloads I assume that this is making

> integrated authentication fail. I am trying to get them to disable it(as I

> read you can have done) but they haven't called me back yet.

>

> So the scenario I have now is both Integrated Authentication and Basic

> authentication. The clients on the network login automatically with

> integrated and the mobile OC card laptops have integrated disabled and use

> basic over ssl. Seems to be working well.

>

>

>

>>

>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>> news:e2yQ92x0HHA.5644@TK2MSFTNGP05.phx.gbl...

>>> IE does not "fall back" to some other type of authentication.

>>>

>>> It tries a sinlge type, and if it doesn't work, then authentication

>>> fails.

>>>

>>> NTLM auth from browser to IIS does not rely on NetBT ports - it all

>>> works over port 80 (or 443)

>>>

>>> Cheers

>>> Ken

>>>

>>>

>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>> news:OcdPi3q0HHA.5380@TK2MSFTNGP04.phx.gbl...

>>>> Yes, some unknowns here. I was thinking OS would not try to

>>>> use Kerberos due to external name not matchine DNS domain

>>>> of AD, so trying NTLM; and also assuming a public provider of

>>>> this air-link filtering out NetBt based ports - resulting in authN

>>>> falling back to basic.

>>>>

>>>> Roger

>>>>

>>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>>> news:%23k88fgk0HHA.3400@TK2MSFTNGP03.phx.gbl...

>>>>> Well, it may be that the server is being accessed as http://servername

>>>>> internally, and http://servername.domain.com externally (or something

>>>>> like that), or perhaps it matter of how OP has configured ISA Server.

>>>>>

>>>>> I don't really know about the port issue - unless we're using Kerberos

>>>>> authentication (and ISA Server would have to be explicity configured

>>>>> for Kerberos IIRC) then the only port used is 80 (or 443 as OP has SSL

>>>>> enabled).

>>>>>

>>>>> Cheers

>>>>> Ken

>>>>>

>>>>>

>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>> news:O%23Cz%23Wh0HHA.484@TK2MSFTNGP06.phx.gbl...

>>>>>> Nice KB Ken, which I had overlooked previously. Thanks.

>>>>>>

>>>>>> Given poster can access as expected with direct wire, and

>>>>>> that issue is when using public provider, it sounds to me that

>>>>>> it is not a configuration issue on poster's part, client or server,

>>>>>> but with port protocols supported over that air-linked network.

>>>>>>

>>>>>> Roger

>>>>>>

>>>>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>>>>> news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

>>>>>>> IN order of transparent auto-login to work with IE, all the

>>>>>>> following conditions must be satisfied. It's not just a matter of

>>>>>>> configuring something on the server:

>>>>>>> http://support.microsoft.com/?id=258063

>>>>>>>

>>>>>>> Cheers

>>>>>>> Ken

>>>>>>>

>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>>>>>>>

>>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>>>>>>>

>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>>>>>>>I will check this out on Monday.

>>>>>>>>>>

>>>>>>>>>> But I can authenticate using LAN cable, but not though card.

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>> I missed that piece of info.

>>>>>>>>> So much fir cliebt settings.

>>>>>>>>> You are likely dealing with ports disallowed via

>>>>>>>>> the wireless access points' routing then.

>>>>>>>>

>>>>>>>> Its not your normal wireless, its a mobile phone card for a laptop.

>>>>>>>> You connect though a mobile phone tower

>>>>>>>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>>>>>>>

>>>>>>>> but your point probably still applies.

>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>>>

>>>>>>>>>> ill get back to you on Monday if you are still around

>>>>>>>>>>

>>>>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>>>>>>>> Remember that use of integrate authentication behind the scenes

>>>>>>>>>>> is

>>>>>>>>>>> not just a matter of whether the website is configured to

>>>>>>>>>>> negotiate

>>>>>>>>>>> its use. The browsing client (i.e. IE) must also be configured

>>>>>>>>>>> to

>>>>>>>>>>> allow its use (in the Internet Options on the Advanced tab) and

>>>>>>>>>>> the

>>>>>>>>>>> site must be recognized as one with which it will attempt is use

>>>>>>>>>>> (usually that mean recognizing the site as being in the intranet

>>>>>>>>>>> zone).

>>>>>>>>>>>

>>>>>>>>>>> Roger

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>>>>>>>> Actually I think I spoke too soon.

>>>>>>>>>>>>

>>>>>>>>>>>> we have some laptops that need to connect though PC mobile

>>>>>>>>>>>> phone cards. for some reason I'm not sure they do not seem to

>>>>>>>>>>>> want to connect to the web site with intergraded security, I

>>>>>>>>>>>> think this is what happened last time I choose this

>>>>>>>>>>>> configuration. I don't have one with me at the moment I would

>>>>>>>>>>>> have to wait till Monday to find out for sure.

>>>>>>>>>>>>

>>>>>>>>>>>> This brings up another question. why wont the laptop's

>>>>>>>>>>>> authenticate with windows authentication when connecting with

>>>>>>>>>>>> pc mobile phone cards?

>>>>>>>>>>>>

>>>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>>>>>>>

>>>>>>>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>>>>>>>> There is no workaround. The automatic login option in IE

>>>>>>>>>>>>>> works with

>>>>>>>>>>>>>> integrated authentication only. This is because basic

>>>>>>>>>>>>>> authentication

>>>>>>>>>>>>>> exposes the password (at both the network and application

>>>>>>>>>>>>>> layers).

>>>>>>>>>>>>>> Prompting the user is meant as an additional security

>>>>>>>>>>>>>> precaution to

>>>>>>>>>>>>>> address this exposure.

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> Can you enable both integrated and basic authentication on

>>>>>>>>>>>>>> this

>>>>>>>>>>>>>> intranet site?

>>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>>>>>>>

>>>>>>>>>>>>> sorry just tried it seems to be working.

>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>>> Regards,

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> J Wolfgang Goerlich

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>>>>>>>> I am currently setting up a intranet that will not be

>>>>>>>>>>>>>>> available from outside

>>>>>>>>>>>>>>> the network, also a extranet that will be available from

>>>>>>>>>>>>>>> outside the

>>>>>>>>>>>>>>> network.

>>>>>>>>>>>>>>> The extranet has basic authentication and SSL. it passes

>>>>>>>>>>>>>>> though a ISA 2000

>>>>>>>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>>>>>>>> authentication, but as

>>>>>>>>>>>>>>> it is over SSL it is encrypted so it does not matter that

>>>>>>>>>>>>>>> basic uses clear

>>>>>>>>>>>>>>> text.

>>>>>>>>>>>>>>> Certain pages that need to be accessed from outside I will

>>>>>>>>>>>>>>> put on the

>>>>>>>>>>>>>>> extranet but I don't want to have to recreate these pages on

>>>>>>>>>>>>>>> the intranet

>>>>>>>>>>>>>>> also so internal users will access these pages from the

>>>>>>>>>>>>>>> extranet.

>>>>>>>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>>>>>>>> extranet they

>>>>>>>>>>>>>>> are prompted to log in, even though their browsers are set

>>>>>>>>>>>>>>> to log in

>>>>>>>>>>>>>>> automatically with current username and password. this is

>>>>>>>>>>>>>>> annoying to say

>>>>>>>>>>>>>>> the least.

>>>>>>>>>>>>>>> Is there any solution?

>>>>>>>>>>>>>>> Is this normal for basic over SSL to prompt even when set to

>>>>>>>>>>>>>>> auto login in

>>>>>>>>>>>>>>> IE?

>>>>>>>>>>>>>>> any suggestions

>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>

>>>>

>>>

>>

>>

>

>

Guest Roger Abell [MVP]
Posted

Re: Auto log in with basic authentication

 

My understanding is that there is an initial negotiation, so to speak,

step, in that the client/server says what authN methods it can use

and the strongest method gets selected. Once selected, it must work

or fail (i.e. it is not renegotiated), and trying all over again would

result in the same deterministic result. This is what in initial replies

I meant to indicate as fall-back to NTLM, i.e. stepping back to weaker

selection. I still think that your air-net provider is not supporting the

use of NTLM through its network, and that your mobile clients are

likely not even attempting Kerberos.

 

Roger

 

"ThatsIT.net.au" <me@thatsit> wrote in message

news:%23lD1cN40HHA.5380@TK2MSFTNGP04.phx.gbl...

>

> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

> news:%23WDrHI00HHA.4824@TK2MSFTNGP02.phx.gbl...

>> Then I am totally in the dark as to what is happening for this poster.

>>

>> Roger

>

> what I did was enabled both integrated and basic authentication, but this

> did not work as it seems that the laptops were trying to use integrated

> and failing, I assumed that they would fail and then try basic, but this

> did not seem to happen. So I disabled integrated authentication from the

> IE advanced options and it all seems to work. I did a bit of reading into

> the mobile PC cards we are using on the laptops and they have some sort of

> compression software to save on downloads I assume that this is making

> integrated authentication fail. I am trying to get them to disable it(as I

> read you can have done) but they haven't called me back yet.

>

> So the scenario I have now is both Integrated Authentication and Basic

> authentication. The clients on the network login automatically with

> integrated and the mobile OC card laptops have integrated disabled and use

> basic over ssl. Seems to be working well.

>

>

>

>>

>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>> news:e2yQ92x0HHA.5644@TK2MSFTNGP05.phx.gbl...

>>> IE does not "fall back" to some other type of authentication.

>>>

>>> It tries a sinlge type, and if it doesn't work, then authentication

>>> fails.

>>>

>>> NTLM auth from browser to IIS does not rely on NetBT ports - it all

>>> works over port 80 (or 443)

>>>

>>> Cheers

>>> Ken

>>>

>>>

>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>> news:OcdPi3q0HHA.5380@TK2MSFTNGP04.phx.gbl...

>>>> Yes, some unknowns here. I was thinking OS would not try to

>>>> use Kerberos due to external name not matchine DNS domain

>>>> of AD, so trying NTLM; and also assuming a public provider of

>>>> this air-link filtering out NetBt based ports - resulting in authN

>>>> falling back to basic.

>>>>

>>>> Roger

>>>>

>>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>>> news:%23k88fgk0HHA.3400@TK2MSFTNGP03.phx.gbl...

>>>>> Well, it may be that the server is being accessed as http://servername

>>>>> internally, and http://servername.domain.com externally (or something

>>>>> like that), or perhaps it matter of how OP has configured ISA Server.

>>>>>

>>>>> I don't really know about the port issue - unless we're using Kerberos

>>>>> authentication (and ISA Server would have to be explicity configured

>>>>> for Kerberos IIRC) then the only port used is 80 (or 443 as OP has SSL

>>>>> enabled).

>>>>>

>>>>> Cheers

>>>>> Ken

>>>>>

>>>>>

>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>> news:O%23Cz%23Wh0HHA.484@TK2MSFTNGP06.phx.gbl...

>>>>>> Nice KB Ken, which I had overlooked previously. Thanks.

>>>>>>

>>>>>> Given poster can access as expected with direct wire, and

>>>>>> that issue is when using public provider, it sounds to me that

>>>>>> it is not a configuration issue on poster's part, client or server,

>>>>>> but with port protocols supported over that air-linked network.

>>>>>>

>>>>>> Roger

>>>>>>

>>>>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>>>>> news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

>>>>>>> IN order of transparent auto-login to work with IE, all the

>>>>>>> following conditions must be satisfied. It's not just a matter of

>>>>>>> configuring something on the server:

>>>>>>> http://support.microsoft.com/?id=258063

>>>>>>>

>>>>>>> Cheers

>>>>>>> Ken

>>>>>>>

>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>>>>>>>

>>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>>>>>>>

>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>>>>>>>I will check this out on Monday.

>>>>>>>>>>

>>>>>>>>>> But I can authenticate using LAN cable, but not though card.

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>> I missed that piece of info.

>>>>>>>>> So much fir cliebt settings.

>>>>>>>>> You are likely dealing with ports disallowed via

>>>>>>>>> the wireless access points' routing then.

>>>>>>>>

>>>>>>>> Its not your normal wireless, its a mobile phone card for a laptop.

>>>>>>>> You connect though a mobile phone tower

>>>>>>>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>>>>>>>

>>>>>>>> but your point probably still applies.

>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>>>

>>>>>>>>>> ill get back to you on Monday if you are still around

>>>>>>>>>>

>>>>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>>>>>>>> Remember that use of integrate authentication behind the scenes

>>>>>>>>>>> is

>>>>>>>>>>> not just a matter of whether the website is configured to

>>>>>>>>>>> negotiate

>>>>>>>>>>> its use. The browsing client (i.e. IE) must also be configured

>>>>>>>>>>> to

>>>>>>>>>>> allow its use (in the Internet Options on the Advanced tab) and

>>>>>>>>>>> the

>>>>>>>>>>> site must be recognized as one with which it will attempt is use

>>>>>>>>>>> (usually that mean recognizing the site as being in the intranet

>>>>>>>>>>> zone).

>>>>>>>>>>>

>>>>>>>>>>> Roger

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>>>>>>>> Actually I think I spoke too soon.

>>>>>>>>>>>>

>>>>>>>>>>>> we have some laptops that need to connect though PC mobile

>>>>>>>>>>>> phone cards. for some reason I'm not sure they do not seem to

>>>>>>>>>>>> want to connect to the web site with intergraded security, I

>>>>>>>>>>>> think this is what happened last time I choose this

>>>>>>>>>>>> configuration. I don't have one with me at the moment I would

>>>>>>>>>>>> have to wait till Monday to find out for sure.

>>>>>>>>>>>>

>>>>>>>>>>>> This brings up another question. why wont the laptop's

>>>>>>>>>>>> authenticate with windows authentication when connecting with

>>>>>>>>>>>> pc mobile phone cards?

>>>>>>>>>>>>

>>>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>>>>>>>

>>>>>>>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>>>>>>>> There is no workaround. The automatic login option in IE

>>>>>>>>>>>>>> works with

>>>>>>>>>>>>>> integrated authentication only. This is because basic

>>>>>>>>>>>>>> authentication

>>>>>>>>>>>>>> exposes the password (at both the network and application

>>>>>>>>>>>>>> layers).

>>>>>>>>>>>>>> Prompting the user is meant as an additional security

>>>>>>>>>>>>>> precaution to

>>>>>>>>>>>>>> address this exposure.

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> Can you enable both integrated and basic authentication on

>>>>>>>>>>>>>> this

>>>>>>>>>>>>>> intranet site?

>>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>>>>>>>

>>>>>>>>>>>>> sorry just tried it seems to be working.

>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>>> Regards,

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> J Wolfgang Goerlich

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>>>>>>>> I am currently setting up a intranet that will not be

>>>>>>>>>>>>>>> available from outside

>>>>>>>>>>>>>>> the network, also a extranet that will be available from

>>>>>>>>>>>>>>> outside the

>>>>>>>>>>>>>>> network.

>>>>>>>>>>>>>>> The extranet has basic authentication and SSL. it passes

>>>>>>>>>>>>>>> though a ISA 2000

>>>>>>>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>>>>>>>> authentication, but as

>>>>>>>>>>>>>>> it is over SSL it is encrypted so it does not matter that

>>>>>>>>>>>>>>> basic uses clear

>>>>>>>>>>>>>>> text.

>>>>>>>>>>>>>>> Certain pages that need to be accessed from outside I will

>>>>>>>>>>>>>>> put on the

>>>>>>>>>>>>>>> extranet but I don't want to have to recreate these pages on

>>>>>>>>>>>>>>> the intranet

>>>>>>>>>>>>>>> also so internal users will access these pages from the

>>>>>>>>>>>>>>> extranet.

>>>>>>>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>>>>>>>> extranet they

>>>>>>>>>>>>>>> are prompted to log in, even though their browsers are set

>>>>>>>>>>>>>>> to log in

>>>>>>>>>>>>>>> automatically with current username and password. this is

>>>>>>>>>>>>>>> annoying to say

>>>>>>>>>>>>>>> the least.

>>>>>>>>>>>>>>> Is there any solution?

>>>>>>>>>>>>>>> Is this normal for basic over SSL to prompt even when set to

>>>>>>>>>>>>>>> auto login in

>>>>>>>>>>>>>>> IE?

>>>>>>>>>>>>>>> any suggestions

>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>

>>>>>>

>>>>>

>>>>

>>>>

>>>

>>

>>

>

>

Guest harrykrishna.nospam@online.ie
Posted

Re: Auto log in with basic authentication

 

We've recently noticed issues with credentials via AirCards where

we've not has a problem before, so I'm wondering if some patch on the

clients or some update on the VPN servers caused the change in the

past month or so.

 

In any event, try this for the offending AirCard connection:

 

Locate your Phone Book (Usually in the %SystemDrive%\Documents and

Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk

folder). - This is a hidden folder so you might have to set your

explorer settings to show hidden files.

 

Open the rasphone.pbk or whatever it is named by right-clicking on it

and opening it with Notepad. (Don't check the option to always open

with notepad).

 

Hunt for the phone book header that represents your problem AirCard

connection. Each new Phonebook entry is enclosed within brackets

"[ ]"

 

Change the line UseRasCredentials=1 to UseRasCredentials=0

 

It worked for us, and the challenge box no longer pops up with the

passed through credentials of the AirCard.

 

HTH

 

Harry

 

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote:

>My understanding is that there is an initial negotiation, so to speak,

>step, in that the client/server says what authN methods it can use

>and the strongest method gets selected. Once selected, it must work

>or fail (i.e. it is not renegotiated), and trying all over again would

>result in the same deterministic result. This is what in initial replies

>I meant to indicate as fall-back to NTLM, i.e. stepping back to weaker

>selection. I still think that your air-net provider is not supporting the

>use of NTLM through its network, and that your mobile clients are

>likely not even attempting Kerberos.

>

>Roger

>

>"ThatsIT.net.au" <me@thatsit> wrote in message

>news:%23lD1cN40HHA.5380@TK2MSFTNGP04.phx.gbl...

>>

>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>> news:%23WDrHI00HHA.4824@TK2MSFTNGP02.phx.gbl...

>>> Then I am totally in the dark as to what is happening for this poster.

>>>

>>> Roger

>>

>> what I did was enabled both integrated and basic authentication, but this

>> did not work as it seems that the laptops were trying to use integrated

>> and failing, I assumed that they would fail and then try basic, but this

>> did not seem to happen. So I disabled integrated authentication from the

>> IE advanced options and it all seems to work. I did a bit of reading into

>> the mobile PC cards we are using on the laptops and they have some sort of

>> compression software to save on downloads I assume that this is making

>> integrated authentication fail. I am trying to get them to disable it(as I

>> read you can have done) but they haven't called me back yet.

>>

>> So the scenario I have now is both Integrated Authentication and Basic

>> authentication. The clients on the network login automatically with

>> integrated and the mobile OC card laptops have integrated disabled and use

>> basic over ssl. Seems to be working well.

>>

>>

>>

>>>

>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>> news:e2yQ92x0HHA.5644@TK2MSFTNGP05.phx.gbl...

>>>> IE does not "fall back" to some other type of authentication.

>>>>

>>>> It tries a sinlge type, and if it doesn't work, then authentication

>>>> fails.

>>>>

>>>> NTLM auth from browser to IIS does not rely on NetBT ports - it all

>>>> works over port 80 (or 443)

>>>>

>>>> Cheers

>>>> Ken

>>>>

>>>>

>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>> news:OcdPi3q0HHA.5380@TK2MSFTNGP04.phx.gbl...

>>>>> Yes, some unknowns here. I was thinking OS would not try to

>>>>> use Kerberos due to external name not matchine DNS domain

>>>>> of AD, so trying NTLM; and also assuming a public provider of

>>>>> this air-link filtering out NetBt based ports - resulting in authN

>>>>> falling back to basic.

>>>>>

>>>>> Roger

>>>>>

>>>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>>>> news:%23k88fgk0HHA.3400@TK2MSFTNGP03.phx.gbl...

>>>>>> Well, it may be that the server is being accessed as http://servername

>>>>>> internally, and http://servername.domain.com externally (or something

>>>>>> like that), or perhaps it matter of how OP has configured ISA Server.

>>>>>>

>>>>>> I don't really know about the port issue - unless we're using Kerberos

>>>>>> authentication (and ISA Server would have to be explicity configured

>>>>>> for Kerberos IIRC) then the only port used is 80 (or 443 as OP has SSL

>>>>>> enabled).

>>>>>>

>>>>>> Cheers

>>>>>> Ken

>>>>>>

>>>>>>

>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>> news:O%23Cz%23Wh0HHA.484@TK2MSFTNGP06.phx.gbl...

>>>>>>> Nice KB Ken, which I had overlooked previously. Thanks.

>>>>>>>

>>>>>>> Given poster can access as expected with direct wire, and

>>>>>>> that issue is when using public provider, it sounds to me that

>>>>>>> it is not a configuration issue on poster's part, client or server,

>>>>>>> but with port protocols supported over that air-linked network.

>>>>>>>

>>>>>>> Roger

>>>>>>>

>>>>>>> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message

>>>>>>> news:eNodDnY0HHA.1100@TK2MSFTNGP06.phx.gbl...

>>>>>>>> IN order of transparent auto-login to work with IE, all the

>>>>>>>> following conditions must be satisfied. It's not just a matter of

>>>>>>>> configuring something on the server:

>>>>>>>> http://support.microsoft.com/?id=258063

>>>>>>>>

>>>>>>>> Cheers

>>>>>>>> Ken

>>>>>>>>

>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>> news:OZ0DRdU0HHA.1164@TK2MSFTNGP02.phx.gbl...

>>>>>>>>>

>>>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>>>> news:eAdB9DU0HHA.6072@TK2MSFTNGP03.phx.gbl...

>>>>>>>>>>

>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>> news:uPeUx1O0HHA.600@TK2MSFTNGP05.phx.gbl...

>>>>>>>>>>>I will check this out on Monday.

>>>>>>>>>>>

>>>>>>>>>>> But I can authenticate using LAN cable, but not though card.

>>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>> I missed that piece of info.

>>>>>>>>>> So much fir cliebt settings.

>>>>>>>>>> You are likely dealing with ports disallowed via

>>>>>>>>>> the wireless access points' routing then.

>>>>>>>>>

>>>>>>>>> Its not your normal wireless, its a mobile phone card for a laptop.

>>>>>>>>> You connect though a mobile phone tower

>>>>>>>>> http://www.cnet.com.au/wireless/accessories/0,239028911,339272208,00.htm?feed=rss

>>>>>>>>>

>>>>>>>>> but your point probably still applies.

>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>> ill get back to you on Monday if you are still around

>>>>>>>>>>>

>>>>>>>>>>> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

>>>>>>>>>>> news:ecbQq5N0HHA.4652@TK2MSFTNGP05.phx.gbl...

>>>>>>>>>>>> Remember that use of integrate authentication behind the scenes

>>>>>>>>>>>> is

>>>>>>>>>>>> not just a matter of whether the website is configured to

>>>>>>>>>>>> negotiate

>>>>>>>>>>>> its use. The browsing client (i.e. IE) must also be configured

>>>>>>>>>>>> to

>>>>>>>>>>>> allow its use (in the Internet Options on the Advanced tab) and

>>>>>>>>>>>> the

>>>>>>>>>>>> site must be recognized as one with which it will attempt is use

>>>>>>>>>>>> (usually that mean recognizing the site as being in the intranet

>>>>>>>>>>>> zone).

>>>>>>>>>>>>

>>>>>>>>>>>> Roger

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>>>> news:ehQotZN0HHA.1188@TK2MSFTNGP04.phx.gbl...

>>>>>>>>>>>>> Actually I think I spoke too soon.

>>>>>>>>>>>>>

>>>>>>>>>>>>> we have some laptops that need to connect though PC mobile

>>>>>>>>>>>>> phone cards. for some reason I'm not sure they do not seem to

>>>>>>>>>>>>> want to connect to the web site with intergraded security, I

>>>>>>>>>>>>> think this is what happened last time I choose this

>>>>>>>>>>>>> configuration. I don't have one with me at the moment I would

>>>>>>>>>>>>> have to wait till Monday to find out for sure.

>>>>>>>>>>>>>

>>>>>>>>>>>>> This brings up another question. why wont the laptop's

>>>>>>>>>>>>> authenticate with windows authentication when connecting with

>>>>>>>>>>>>> pc mobile phone cards?

>>>>>>>>>>>>>

>>>>>>>>>>>>> "ThatsIT.net.au" <me@thatsit> wrote in message

>>>>>>>>>>>>> news:OCj%23v$M0HHA.4184@TK2MSFTNGP06.phx.gbl...

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> <jwgoerlich@gmail.com> wrote in message

>>>>>>>>>>>>>> news:1185550174.050237.219340@d30g2000prg.googlegroups.com...

>>>>>>>>>>>>>>> There is no workaround. The automatic login option in IE

>>>>>>>>>>>>>>> works with

>>>>>>>>>>>>>>> integrated authentication only. This is because basic

>>>>>>>>>>>>>>> authentication

>>>>>>>>>>>>>>> exposes the password (at both the network and application

>>>>>>>>>>>>>>> layers).

>>>>>>>>>>>>>>> Prompting the user is meant as an additional security

>>>>>>>>>>>>>>> precaution to

>>>>>>>>>>>>>>> address this exposure.

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>> Can you enable both integrated and basic authentication on

>>>>>>>>>>>>>>> this

>>>>>>>>>>>>>>> intranet site?

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> I think i did try that combination before, i will try again,

>>>>>>>>>>>>>>

>>>>>>>>>>>>>> sorry just tried it seems to be working.

>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

>>>>>>>>>>>>>>> Regards,

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>> J Wolfgang Goerlich

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>> On Jul 27, 11:07 am, "ThatsIT.net.au" <me@thatsit> wrote:

>>>>>>>>>>>>>>>> I am currently setting up a intranet that will not be

>>>>>>>>>>>>>>>> available from outside

>>>>>>>>>>>>>>>> the network, also a extranet that will be available from

>>>>>>>>>>>>>>>> outside the

>>>>>>>>>>>>>>>> network.

>>>>>>>>>>>>>>>> The extranet has basic authentication and SSL. it passes

>>>>>>>>>>>>>>>> though a ISA 2000

>>>>>>>>>>>>>>>> firewall and for various reasons we need to use basic

>>>>>>>>>>>>>>>> authentication, but as

>>>>>>>>>>>>>>>> it is over SSL it is encrypted so it does not matter that

>>>>>>>>>>>>>>>> basic uses clear

>>>>>>>>>>>>>>>> text.

>>>>>>>>>>>>>>>> Certain pages that need to be accessed from outside I will

>>>>>>>>>>>>>>>> put on the

>>>>>>>>>>>>>>>> extranet but I don't want to have to recreate these pages on

>>>>>>>>>>>>>>>> the intranet

>>>>>>>>>>>>>>>> also so internal users will access these pages from the

>>>>>>>>>>>>>>>> extranet.

>>>>>>>>>>>>>>>> All seems fine but one point. when internal users access the

>>>>>>>>>>>>>>>> extranet they

>>>>>>>>>>>>>>>> are prompted to log in, even though their browsers are set

>>>>>>>>>>>>>>>> to log in

>>>>>>>>>>>>>>>> automatically with current username and password. this is

>>>>>>>>>>>>>>>> annoying to say

>>>>>>>>>>>>>>>> the least.

>>>>>>>>>>>>>>>> Is there any solution?

>>>>>>>>>>>>>>>> Is this normal for basic over SSL to prompt even when set to

>>>>>>>>>>>>>>>> auto login in

>>>>>>>>>>>>>>>> IE?

>>>>>>>>>>>>>>>> any suggestions

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

>>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>>

>>>>>>>>>

>>>>>>>>>

>>>>>>>>

>>>>>>>

>>>>>>>

>>>>>>

>>>>>

>>>>>

>>>>

>>>

>>>

>>

>>

>

 

 

Ha®®y

 

HarryKrishna.nospam@online.ie

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...