Welcome to Community Server Sign in | Join | Help

Browse by Tags

All Tags » IIS » Other   (RSS)
Earlier this month I was lucky enough to attend the 2009 Microsoft MVP summit in Seattle. The bulk of the summit consisted of two days of sessions with our product teams (I popped across to some Directory Services sessions as well), and a one day executive Read More...
Filed under: ,
Looks like I'm a Microsoft MVP for another year. Yay! From: ...@mvpaward.com Sent: Sunday, 1 October 2006 9:37 PM To: Ken Schaefer Subject: [MVP] Congratulations! You have received the Microsoft MVP Award Dear Ken Schaefer, Congratulations! We are Read More...
Filed under: ,
It's been a quiet month blog wise, but very busy otherwise. On August 25-28th I was at Tech.Ed Australia 2006 presenting two sessions on IIS (Everything web administrator needs to know about MOM 2005 and IIS 7.0 An End to End Overview). In mid-August, Read More...

Registration for Tech.Ed Australia 2005 is open. Register before 30th June for $400 off the regular delegate's fee. For those who'll be attending and reading this (all two of you!), I'm currently scheduled to be presenting a session on IIS Troubleshooting and Debugging, including coverage of the upcoming IIS Debug Diagnostics tool which is currently in beta.

My colleague Chewy Chong will be presenting a session on Microsoft Identity Integration Server.

Filed under: ,

When using HTTP based authentication (e.g. Basic, NTLM, Digest, Kerberos), Internet Explorer (IE) will continue sending the same credentials for each subsequent request to the server until one of two things happens: either (a) the user closes their browser or (b) the server refuses the credentials with a 401 status code. This behaviour is described (about 1/3 of the way down, under Notes) in KB 264921.

A common request I see is how a programmer force a user to reauthenticate after a certain period, particularly after a period of inactivity. This might address a situation where a user has accidently left their machine unlocked and their browser window open, or where an application based session has expired, and the programmer wants to simultaneously force the user to reauthenticate.

In the past I would have recommended one of three strategies:

  • Programmatically send a 401 HTTP status to the client (e.g. Response.Status = 401)
  • Redirect a user to http://fakeuser:wrongpassword@www.yoursite.com (this doesn't work with patched IE6 anymore). Since fakeuser/wrongpassword isn't a valid Windows account, the user will be prompted to enter valid credentials
  • Use the client-side ActiveX control described in KB 195192

With the exception of the first option (setting the Response.Status), the methods are mostly ugly hacks IMHO.

Now, we have a new way of clearing the IE authentication cache. Beginning with IE6 SP1 the following piece of javascript code will clear IE's credentials cache. Note, that this will clear the credentials cache for the entire iexplore.exe process, so users will be forced to re-authenticate to any site being accessed by that process (in case they have multiple windows open pointing to multiple websites):

// Clear current credentials
// Requires IE6 SP1 or later
document.execCommand(ClearAuthenticationCache, false)

More information can be found in MSDN: ClearAuthenticationCache and execCommand

Filed under: ,