November 17th, 2010, 06:49 AM
Integrated Windows Security bypassed by simply adding domain to IE 8 Local Intranet ?
I have a .NET 2.0 IIS 6 solution at home I thought was secure. Annonymous is off and integrated is on on the web site. The web config has this:
<system.web> <authentication mode="Windows"></authentication>
<allow users="MYHOMWEBSERVER\MYUSER"/><deny users="*"/>
My IE 8 client at work is logged into another domain, the user name is the same, but the password is different.
If I add the domain url of my soltuion to local intranet sites in IE 8 on my client IE now just lets me right into the site with no challenge/response authentication even after clearing cache with passwords and rebooting the client ????
I have not tested when authenticated in as another user on my work domain. But how is this possible?
Either IE is trusting same users accross domains, or windows is storing authentication in a way that even clearing cache or rebooting.
If I turn off the local trust entry or attempt to access the site from a non IE client challenge response happens and there is no way into the site without authentication into MYHOMWEBSERVER\MYUSER. Also, If I browse the site via IIS console on the server a challenge is presented.
Very confused and concerned that is is a Microsoft IE feature.
Thanks in advance.
Update: I just changed the user name in the web.config and now prompts me. I now suspect that entry is trusting any domain with that user name. Why is that? My web server is not under Active directory and is a VM joined into a workgroup all my home stations are joined into. Might I be trusting my work domain somewhere on the server? Does the workgroup play any role in the web.config?
Update2: A display of my windows identity says MYSERVER\MYUSERNAME implying that somehow my client has this authentication stored somewhere? How do I clear that? I tried clearing cache and rebooting. In another test, I created an identical user/pw no another VM on the same workgroup and after adding the local intranet entry in IE it also lets me right in. I change the pw and now I'm prompted.. so pw seems to matter, but this does not explain why work can go right in since domain and pw are different unless authenication memory is stored somewhere that rebooting and clearing cache does not reset.
November 17th, 2010, 02:21 PM
I don't have an answer, sorry. It sounds to me like you're dealing with some IE issue rather than IIS, but that's just a guess. I haven't done much with IIS and intranet-type sites.
I've never been able to appreciate the sublime arrogance of folks who feel they were put on earth just to save other folks from themselves .." - Donald Hamilton