DOCUMENT:Q281408 27-JAN-2002 [iis] TITLE :How to Implement a Single Logon Across Multiple Web Servers PRODUCT :Internet Information Server PROD/VER::4.0,4.01,4.01 SP1,4.01 SP2,5,5.0,5.01,5.01 SP1,5.5,5.5 Service Pack 1 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0 - Microsoft Internet Information Server version 4.0 - Microsoft Internet Explorer (Programming) versions 4.0, 4.01, 4.01 SP1, 4.01 SP2, 5, 5.01, 5.01 SP1, 5.5, 5.5 Service Pack 1 ------------------------------------------------------------------------------- SYMPTOMS ======== When you use Basic authentication to password protect content that is running on multiple Web servers, users are forced to authenticate (enter credentials) when they establish a new connection to a Web server. CAUSE ===== The HTTP standard for Basic authentication (RFC 2617) specifies that credentials should not be forwarded outside the protection space of the authenticated site. Based on these specifications, Internet Explorer does not automatically forward Basic credentials when users establish a connection to a new Web site. WORKAROUND ========== NOTE: Basic authentication transmits user credentials (username and password) across the network in an unencrypted format. For this reason, Microsoft highly recommends that you only use Basic authentication in conjunction with some type of encryption, such as SSL. Although RFC 2617 dictates that the Web browser should not automatically pass credentials outside the protection space of the authenticated site, it is possible to programmatically persist credentials by forcing the browser to send credentials to a new server. Forwarding credentials outside the protection space of one authenticated site can be implemented with Microsoft Active Server Pages (ASP) and/or HTML redirects by inserting the credentials in the Request URI (after the protocol and before the hostname) when you use Common Internet Scheme Syntax, for example: http://username:password@your.website.com The following examples illustrate how to implement forwarded credentials. To test any of the samples, paste the sample code into a .asp or .htm file on the IIS server. ASP redirect using the Response.Redirect method: <% Dim strNewSite, strBasicCreds strNewSite = "www.microsoft.com"
strBasicCreds = Request.ServerVariables("AUTH_USER") & ":" & _ Request.ServerVariables("AUTH_PASSWORD") If Len(strBasicCreds) = 1 Then 'don't add credential delimiters strBasicCreds = "" ' if credentials aren't passed Else strBasicCreds = strBasicCreds & "@" End If Response.Redirect "http://" & strBasicCreds & strNewSite Response.End %> HTML redirect generated with ASP: <% Dim strNewSite, strBasicCreds strNewSite = "www.microsoft.com" strBasicCreds = Request.ServerVariables("AUTH_USER") & ":" & _ Request.ServerVariables("AUTH_PASSWORD") If Len(strBasicCreds) = 1 Then 'don't add credential delimiters strBasicCreds = "" ' if credentials aren't passed Else strBasicCreds = strBasicCreds & "@" End If Response.Write "" %> NOTE: The 2 contained in the META tag above indicates the number of seconds that the browser displays the downloaded page, prior to redirecting to the new page specified by the URL address. HTML redirect with hard-coded Credentials: MORE INFORMATION ================ By default, when connecting to web sites in the Internet Zone, Internet Explorer initially attempts to contact a Web server by using Anonymous authentication. If the anonymous user does not have permission to the Web content, and the Web server is configured to use Basic authentication, Internet Information Server responds to the client with a "HTTP 401 Access Denied" message, which includes the following HTTP header: WWW-Authenticate: Basic When the browser receives this HTTP header, it prompts the user for credentials, then re-requests the same page, but this time, it includes Basic authentication credentials provided by the user. If those credentials are authenticated successfully, the requested page is then returned to the browser. By including the Basic credentials in the initial GET request, Internet Explorer stores the credentials and provide them to the server whenever the server responds with a Basic authentication challenge in that protected space. NOTE:When you request an URL that includes credentials, the credentials are visible to anyone who can see the browser or view the browser's history. To prevent credentials from being displayed in the URL window or in the browser's history, force the browser to rerequest a document. This document is on the target server after the browser has authenticated to the new site. To do this, use one of the following methods: - After the credentials are passed to the new site with the URL, use the meta-refresh or Response.Redirect method to rerequest the same document on the server, but omit the credentials from the URL in the new request. - During the redirection to the new server, do not redirect to a specific file. Instead, redirect to the root of that site or to a virtual directory on the new site, and omit the trailing slash from the URL (for example, redirect to http://www.microsoft.com rather than http://www.microsoft.com/). Omitting the trailing slash will cause IIS to send a courtesy redirect (to ensure that the client requests properly formed URLs) by informing the client that it should rerequest the page that was initially requested, with the trailing slash added to the end. Both of these methods accomplish the same task, which is to force the client to connect to the new server without including the credentials in the URL. It is not necessary to include the credentials after the initial connection because Internet Explorer will cache the credentials for the new site, after it has successfully authenticated, and provide the Basic Authentication credentials automatically on subsequent connections to that site, while that browser instance remains open. For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base: Q195192 Clear Logon Credentials to Force Reauthentication Q239546 You Are Prompted for Username and Password When Redirected Q231453 Internet Explorer 5.0 Fails to Pass Session Variables to IIS Q264921 INFO: How IIS Authenticates Browser Clients The Request for Comments (RFCs) mentioned in this article are available from the following Web sites: RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 RFC 2617: HTTP Authentication: Basic and Digest Access Authentication RFC 1738: Uniform Resource Locators (URL) For additional information about how to configure SSL on Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base: Q228836 Installing a New Certificate for Use in SSL/TLS For additional information about how to configure SSL with the Windows NT 4.0 Option Pack, click the article number below to view the article in the Microsoft Knowledge Base: Q228991 How to Create and Install an SSL Certificate in IIS 4.0 Additional query words: ====================================================================== Keywords : Technology : kbiisSearch kbIEsearch kbAudDeveloper kbSDKIESearch kbiis500 kbiis400 kbIE500Search kbSDKIE400 kbSDKIE401 kbSDKIE401SP1 kbSDKIE401SP2 kbSDKIE501SP1 kbSDKIE550SP1 kbSDKIE500 kbSDKIE501 kbSDKIE550 kbIE550Search Version : :4.0,4.01,4.01 SP1,4.01 SP2,5,5.0,5.01,5.01 SP1,5.5,5.5 Service Pack 1 Issue type : kbprb Solution Type : kbpending ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.