| Author | Messages | |
ken
Posts:58
 | | 09/24/2008 2:28 PM |
| Hi,
Actually, with NTLM you don't provide your credentials with each request. (Basic and Digest you do). When using NTLM, the server "authenticates" the underlying HTTP connection, and no further credentials need to be sent.
You will go through the NTLM handshake process again when you make a HTTP POST (assuming you are using IE), but that's a browser initiated thing, not something that is controlled by IE.
In response to the OP: one of the benefits of FBA is the ability to "time out" an inactive session (the cookie expires). You can't do that with HTTP based authentication, because typically the browser resends the credentials with the next request. IE v6 SP1 and newer does now expose a function that can be invoked via Javascript that can clear the browser's in-memory credential cache to effective timeout a session. Other browsers don't offer this functionality AFAIK.
Cheers
Ken
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, 17 September 2008 11:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Form Based Authentication for MS Exchange 2003. Benefits
Yes it is I think .. and this is why (I think)
When you use NTLM with every request you make to the webserver you provide your hash created from the NTLM challenge/response.. when you use FBA the server only once request credentials for your session and you use a cookie for the session
(based on: http://mail-archives.apache.org/mod_mbox/hc-dev/200612.mbox/%3C20061217101139.26132.1848@ajax.apache.org%3E)
+ === Form Based Authentication ===
+
+ The form based authentication technique operates on the application layer.
+ When using a browser, username and password have to be entered
+ in an HTML form. They will be sent to the server only once.
+ After successful authentication, the server remembers that this
+ client is authenticated and will not ask for the password again
+ during that session. Session tracking often requires a cookie.
+ [[BR]]
+ >From the HttpClient perspective, submitting a form for client
+ authentication is no different from submitting a form for a
+ search query or any other purpose.
+ Instructions on how to support session tracking and simulate
+ form submission are available in the
+ [wiki:Self:ForAbsoluteBeginners Client HTTP Programming Guide].
+
+ Form based authentication is more secure than basic authentication.
+ Although it also transmits the password in plain text, it does so
+ only once and not with every request. Still, when used over the
+ internet, from based authentication should use a secure TLS/SSL
+ connection at least for the login procedure. Afterwards, the session
+ can be continued over plain connections, as the password is not
+ sent again.
=== Basic, Digest, NTLM Authentication ===
+
+ These authentication techniques operate on the HTTP layer and are
+ supported to some degree by HttpClient.
+ Basic and Digest authentication are specified in
+ [http://www.ietf.org/rfc/rfc2617.txt RFC 2617].
+ Both are fully supported by !HttpClient.
+ A browser will typically pop up an authentication dialog asking
+ for the password to a specific server. The password will be asked
+ only once for each session. If NTLM authentication is used and
+ the password is the same as the Windows password, there may be
+ no authentication dialog at all (single sign-on, SSO).
+
+ Basic authentication is considered insecure because it sends the
+ user password in plain text (unprotected) with each request.
+ That is only acceptable to some degree in intranets or when using
+ TLS/SSL secure connections (HTTPS). It is generally not acceptable
+ when using insecure connections over the internet.
+ [[BR]]
+ Digest authentication is more secure than basic authentication
+ because the password itself is not sent to the server. Instead,
+ a hash of the password is created and sent. Digest authentication
+ is rarely used, since in order to verify the hash, the server
+ needs to know the user password in plain text. User repositories
+ will typically not store passwords in plain text, but rather
+ hashes of the password. Therefore, digest authentication can
+ not be performed using such repositories. Storing passwords in
+ plain text on the server backend systems introduces a weak spot
+ into the server side architecture.
+ [[BR]]
+ NTLM authentication comes in several varieties, all of which are
+ proprietary authentication protocols by Microsoft. !HttpClient
+ partially supports NTLM authentication, as explained in the
+ [wiki:Self:FrequentlyAskedNTLMQuestions NTLM FAQ].
+ The older versions, or lower levels, of NTLM authentication suffer
+ from the same weakness as Basic authentication. The newer versions
+ rectify this, but the protocols are not publicly documented.
+ There are no open source implementations of the newer versions
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Wednesday, September 17, 2008 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Form Based Authentication for MS Exchange 2003. Benefits
I am confuse guys 
Is OWA with FBA and SSL more secure than "the other' or not?
Ramon
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, September 17, 2008 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Form Based Authentication for MS Exchange 2003. Benefits
When are you forced to send creds unencrypted when you don't use FBA? First time I've heard this one...
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, September 17, 2008 8:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Form Based Authentication for MS Exchange 2003. Benefits
|The point is that the FBA is already within an SSL connection.. so user/pass that is sent is already encrypted with the SSL certificate.. if you do not use FBA you give your username/password over an unencrypted connection before OWA starts the SSL session.. alothough if you do not use basic authentication, the encryption method for user/pass over the connection is pretty easy to hack.. basically.. FBA is safer because you encrypt ALL data sent over the line before a user has even authenticated..
Roelf
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ramon Linan
Sent: Wednesday, September 17, 2008 3:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Form Based Authentication for MS Exchange 2003. Benefits
I have always been using FBA with OWA for "security" reasons, I was always suggested to do that by the Exchange gurus.
Can someone be more specific about how is FBA more secure than the default authentication, other than not letting the user remember the password?
Or point me to a url with the info?
Thanks in advance.
Ramon
| | | |
|
|