是否可以通过IIS上的HTTP进行身份验证(不使用SSL)?
[英]Can an authentication via HTTP over IIS be encrypted (without SSL)?
问题描述
I'm accustomed to *nix servers and if we wanted a completely secure sign in screen, we (as far as I am aware) are to use SSL via HTTPS. 
我习惯使用* nix服务器,如果我们想要一个完全安全的登录屏幕,我们(据我所知)将通过HTTPS使用SSL。 Our overseeing organization at work use Windows Servers for serving web pages. 我们的工作监督组织使用Windows服务器来提供网页服务。 On one such page they are authenticating network credentials. 在一个这样的页面上,他们正在验证网络凭证。 This page is using HTTP, and what appears to be Basic Auth (a popup dialog) for an SQL Server Report Manager. 此页面使用HTTP,并且似乎是SQL Server报表管理器的Basic Auth(弹出对话框)。
They say Basic is disabled in IIS. 他们说在IIS中禁用Basic。
In my limited experience with IIS at college, I (think I) recall subdomains can override general settings. 由于我在大学时对IIS的经验有限,我(想想我)回忆一下子域名可以覆盖一般设置。 They believe it's using Integrated Windows Authentication. 他们认为它正在使用集成Windows身份验证。
So... 所以...
Is there a way to differentiate between Basic Auth and Integrated Windows Auth when viewing a web-page prompt, and...
有没有办法在查看网页提示时区分Basic Auth和Integrated Windows Auth,以及...... Is it possible to encrypt the communication between computer and server during authentication so that the text being sent is encrypted (without a JS solution)?
是否可以在身份验证期间加密计算机和服务器之间的通信,以便加密发送的文本(没有JS解决方案)?
2 个解决方案
解决方案1
2 已采纳 2010-06-18 19:30:17
Both Basic and Windows Integrated authentication send the credentials unencrypted over the wire. Basic和Windows Integrated身份验证都通过线路发送未加密的凭据。 If the popup login box has the name of the browser in it, and looks like a standard window, it's Basic or Integrated. 如果弹出登录框中包含浏览器的名称,并且看起来像标准窗口,则它是Basic或Integrated。 If the username/password used to gain access is the same as the user's domain account, it's Windows Integrated. 如果用于获取访问权限的用户名/密码与用户的域帐户相同,则为Windows Integrated。 You can confirm either by sniffing the HTTP transmission with Fiddler. 您可以通过使用Fiddler嗅探HTTP传输来确认。
There is no good, practical way to encrypt those credentials in either case without SSL. 在没有SSL的情况下,没有任何好的,实用的方法来加密这些凭证。 Here is a good article on why custom security methods are a bad idea, and SSL is the way to go. 这是一篇很好的文章,关于为什么自定义安全方法是一个坏主意,而SSL是要走的路。
解决方案2
2 2010-06-21 23:21:21
You could also use HTTP Digest authentication , which will encrypt the authentication in the HTTP header (even without SSL). 您还可以使用HTTP摘要式身份验证 ,该身份验证将加密HTTP标头中的身份验证(即使没有SSL)。 This will show a dialog box similar to the one you get with HTTP Basic authentication. 这将显示一个类似于HTTP Basic身份验证的对话框。 There are a couple of downsides: 有几个缺点:
- Most browsers use the same dialog box for Basic and Digest authentication, so as a user, you don't really know which one it's using. 大多数浏览器使用相同的对话框进行基本和摘要式身份验证,因此作为用户,您实际上并不知道它正在使用哪个。
- Only the authentication is encrypted, a Man-In-The-Middle who could intercept and alter the exchange could replace the content of the requests using those credentials. 只有身份验证是加密的,可以拦截和更改交换的Man-In-The-Middle可以使用这些凭据替换请求的内容。
For these reasons, SSL is better (as suggested before). 出于这些原因,SSL更好(如前所述)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.