[4582] in WWW Security List Archive
RE: MS-IIS/IE Alternative to Basic Auth?
daemon@ATHENA.MIT.EDU (Lester Waters)
Tue Feb 25 11:45:08 1997
From: Lester Waters <lesterw@microsoft.com>
To: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Mon, 24 Feb 1997 12:07:08 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
Not true. The first recognized authentication method is chsen by the
browser. If authentication fails, the browser will keep retrying until
the user hits cancel or if (with NTLM) the current login credentials
fail.
> -----Original Message-----
> From: Someone [SMTP:somewhere.com!someone@telecnnct.com]
> Sent: Monday, February 24, 1997 7:44 AM
> To: David W. Morris
> Cc: www-security@ns2.rutgers.edu
> Subject: Re: MS-IIS/IE Alternative to Basic Auth?
>
> David W. Morris wrote:
> >
> > I just fininshed a two day seminar relating to IIS in which a
> generally
> > knowledgable instructor asserted that IIS 3.0 on NT 4.0 would first
> > attempt to authenticate a user via Win/NT Challenge/Response
> > authentication and only if that was rejected, use Basic
> Authentication.
> >
> > 1) Can anyone confirm this and if so identify some documentation on
> the
> > scope of applicability ... that is, in what situations will this
> > apply?
> >
> > 2) Assuming confirmed, is there more documentation on the precise
> > protocols such that servers other than MS IIS might use the same
> > approach?
> >
> > Thanks,
> >
> > Dave Morris
>
> I'd be interested in knowing why this appears to be limited to NT.
>
