Versions Compared

Old Version 22

changes.mady.by.user Unknown User (mattlangston)

Saved on

compared with

New Version 23

changes.mady.by.user Unknown User (mattlangston)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For both the Forms/SSL and Browser based authentication mechanisms, it is important that the user trusts the web site they are logging into. For example, just becasue you use an SSL encypted form to send your username and password to a remote web site doesn't mean that your password is safe. If the programmer who created the remote web site is inexperienced in security issues, they could easily do something to compromise your password without intending to do so. Becuase security is so important and so easy for a programmer to get wrong, the Department of Energy requires SLAC to not allow programmers to ever ask a user for their username and password unless they obtain special permission from the lab.

It is important to the user that they IWA is an example of Browser Based Authentication since it is a feature that must be bulit-in to the browser. As with Forms/SSL, the user must trust the web site they are sending their credential to, which is why the dialog boxescredentials to. Since http://glast-ground.slac.stanford.edu/ is an official GLAST web site that has been vetted by SLAC Computing Services (SCS), GLAST users can trust that it is safe and secure to provide their SLAC credentials to the web site. In the dialog boxes above, the visual cue that it is safe for the user to enter their username and password into the dialog box is the HTTP address in the dialog box. it is clear to the user that they are connecting to the web site http://glast-ground.slac.stanford.edu/Image Removed

While SSL visual cues are convenient, they don't remove the responsibility from the user of trusting the web server they are sending their credentials to.

aren't necessary. It is imporant to Browsers use the same

introduces IWA to users, and

The Windows web server called Internet Information Servies version 6 (hereafer referred to as IIS) has the ability to authenticate users using something called Interated Windows Authentication (hereafter called IWA, formerly called NTLM in previous versions of IIS). IWA is a secure method for users to prove to an IIS web server that they are who they say they are.

Although SSL is widely used to allow users to securely log into a web site, it is not the only method that modern browsers support. is well known, Web browsers such as Internet Explorer and Forefix 1.0 include support IWA.

, and since they trust this web site they can safely enter their username and password.

Under the Covers of IWA

For those of you iterested in the details of IWA, I'll walk you throuh the HTTP headers of a web browser connecting to http://glast-ground.slac.stanford.edu/ so that you can see how the cyptographic exhage works. for This is a secure that comes wth