1

If I have an ASP.net web app set up to use windows authentication only on IIS, does it follow that any authenticated user should have connected from a machine that's joined to the domain?

Does it make any difference if NTLM or Kerberos is being used?

  • If the web app is open to internet then no. – Purefan Jan 30 '17 at 13:48
  • @Purefan can you expand on why - e.g. is it because it's easy to construct or spoof the NTLM or Kerberos tokens that IIS would be using to log the user on? –  Jan 30 '17 at 13:49
  • A logging system does not segregate based on network, that separation of access happens at network level, think firewall. Without promoting VLANs as a means for security this answer explains the idea I want to convey http://security.stackexchange.com/a/51898/10439 – Purefan Jan 30 '17 at 14:49
  • If you try to access a Windows authenticated web server that's not in your domain, you can prompted for credentials. If you have credentials for the other domain, you can use them, and they will (usually) work. I think this only works for NTLM not Kerberos, but I'm not sure. – paj28 Jan 30 '17 at 17:36
  • @paj28 I thought that was only the case if you also had basic auth enabled? –  Jan 30 '17 at 17:38
  • @topomorto - I thought not. At this point, I think the only way to get a definitive answer is to do some testing yourself. – paj28 Jan 31 '17 at 11:01

0 Answers0