For this to work, you need two things. First, all computers involved must be within the same authentication mechanism. Typically, this is a Windows domain. Second, the web server has to be configured to require the user's Windows credentials, and the user has to be using a browser that is configured to automatically send those credentials. None of this really has to do with CF, actually.
In IIS, you'd need to enable Windows authentication for the files in question. This can either use NTLM or Kerberos authentication, and can actually be configured to use both (Kerberos as a primary, and NTLM as a fallback). You'll also need to disable anonymous authentication, which is enabled by default. On the user's machine, the browser he or she uses must be configured to automatically send NTLM or Kerberos authentication credentials. IE does this automatically. I think Chrome does too, actually. Firefox must be configured to do this. I can provide information on that if you want it.
Once this is configured, the web server will send back a challenge, and the browser will send a response containing the username and a hash of the password in the case of NTLM, or a Kerberos ticket in the case of Kerberos. There's actually a lot more going on with Kerberos that I'll omit here, as this is all we really need to know for now. In either case, the web server will forward the information to your Active Directory server, which will validate it. If it's validated, you'll get a value for CGI.AUTH_USER and/or CGI.REMOTE_USER, I forget which. You won't receive the password, because the password is never actually sent from one machine to another.
Dave Watts, CTO, Fig Leaf Software
3
Replies
AdChoices