Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
March 6, 2011, 1:36 pm
rate this thread
This is not a FBA (forms based authentication) setup where a web page
asks the user to login. The root directory and some others are
configured for anonymous login. Some directories are secured in that
they are configured for non-anonymous login.
Right now I'm using "Basic authentication" mode because it is quick.
I'm also forcing HTTPS on those pages to protect the login credentials
(Basic sends in clear text so SSL is needed to encrypt the
authentication). I was using "Integrated Windows authentication" but
periodically there would be a 15-second delay after entering the login
credentials before the next page would start to load. Apparently the
"Negotiate;NTLM" mode for Integrated authenticated is spending way too
much time trying to determine if Kerberos could be used (which it can't
since this web server is not in a domain). Maybe it's after the default
20 minute session timeout but I haven't bothered to measure just when
the lag reappears. Once the lag occurs, subsequent logins are very
quick. I don't want users to sporatically have to wait around 15
seconds wondering why the web browser seems unresponsive and sitting
there with a spinning indicator.
Basic auth is okay since SSL is also used for the connection. I haven't
bothered trying to enable both Basic and Integrated authentication on
the secured directories as it just seems to be contradictory or
superfluous. If both are enabled, are they applied in basic +
(negotiate;NTLM) order? If so, seems it would always be Basic auth
mode. If they were applied in reverse order, I'd suspect to get nailed
again with the 15-second delay after entering the login credentials
before the next page got loaded okay.
What I notice is the login prompt that appears when the user is
requested to enter their login credentials when they navigate to one of
the secured directories in the web server.
For Internet Explorer 7:
Connect to <mydomain>
The server <mydomain> requires a username and password.
Remember my password
For FireFox 3.6:
A username and password are being requested by https://<mydomain>. The
I'm wondering if there is any means of customizing these messages. Most
of it is okay except I'd like to add a comment as to which project
site/directory that is requesting the login credentials. The page where
they see the prompt is a selector page and hasn't yet unloaded by the
time it does via windows.location.replace() to load the secured page.
The login appears simply because the secured page got accessed (as it is
configured by IIS5 to require non-anonymous login) and nothing on that
page has yet even loaded. It's the web server issuing the prompt before
allowing access to anything under the non-anonymous directory.
The "The site says: <something>" seems like a good place to add a
comment to the user telling them what project site to which they need to
enter their login credentials. Right now it just mentions the web site
which they already know (although this does provide some assurance that
they are still going there to do the login). I'd just like to add some
more info. For IE7, it doesn't even have the "The site says:" string
and I don't know if anything of its login prompt is customizable.
The selector page from where they start already tells them where they
are going depending on what they select. I'd just like the popup login
prompt for the Basic (or Integrated) Windows authentication to add a
reminder of what they just selected (without having yet another alert()
popup they have to close before getting the login prompt).
I've been digging around the IIS management applet
(%systemroot%\system32\inetsrv\iis.msc) but haven't found anything that
looks like a string that I can modify in this Windows login prompt
popup. It's not like a server-side include is going to modify the
contents of this popup, either.
I suppose I could expend the time to write more code to do the
equivalent of the Windows login prompt but it seems a waste of time to
duplicate what's already available simply by configuring a directory to
be non-anonymous (i.e., requires either Basic or Integrated Windows
authentication). Since it's already available, no one was really
interested in coding up an FBA scheme.
I've done the Googling already but it seems most folks asking about this
popup seem to think it's malware or spyware trying to connect somewhere;
however, they do mention different phrases for the "The site says:"
value which made me think that I could specify what to put there.
Re: How to customize Windows login prompt from web browser for non-anonymous connect?
Argh! About 6 more Google hits later I came across something that led
me to the answer (not directly but made me curious).
- Open the IIS management applet (iis.msc).
- Drill down the tree to select the secured folder (requires login):
- Right-click on directory node and select Properties.
- Under the Directory Security tab:
* Configured as secured directory:
o "Anonymous login" = disabled.
o "Basic authentication" = enabled.
* Under "Basic authentication":
o Domain: (leave blank - use domain of host)
o Realm: (THIS IS WHERE YOU CUSTOMIZE THE PROMPT)
Right there in front of my face when I was looking at the authentication
configuration of the directory. Just didn't know what the Domain and
Realm were for. Help was of no help.