Windows Authentication Timeout

[Will Gillen]

I have been working on trying to enforce a "timeout" on Windows Integrated
Authentication.
Basically I want the aspx page to force the "authenticated" user to re-enter
their credentials if it has been longer than 3 minutes since their last page
request.

Another individual had suggested adding a value to the Session object, and
setting the page timeout to 3 minutes.
Then, if that value is not present in the Session Object, just return a
Response.StatusCode of "401" to force the browser to "re-authenticate".

I "kinda" got that working, but now the browser is asking for credentials
Twice on the First page request. Then all subsequent requests (after 3
minutes) are only prompting once.

Can anyone help me get this figured out. I'm pretty close, I just need help
in keeping the First Request from prompting Twice for credentials...


This code is at the top of the Page_Load() method of the page I want to
secure:

'Set the Session Timeout to 3 mins:
Session.Timeout = 3
'See if the User.Identity object is already in the Session (means it
hasn't "timed-out"):
If context.Session.Item("USEROBJ") Is Nothing Then
'If New session, then See if they have already been prompted for
creds:
If context.Session.Item("AUTH_PROMPT") = True Then
If context.User.Identity.IsAuthenticated Then
'If they have already been prompted and passed
authentication,
'Then add the User.Identity to the Session:
context.Session.Add("USEROBJ", context.User.Identity)
Else
'Otherwise, respond with "401" to prompt for Creds
again:
Response.StatusCode = 401
End If
Else
'Since this is a new Session, and they haven't been prompted
for creds (as far as I know),
'Then add the "AUTH_PROMPT" flag to the Session, and respond
with "401":
context.Session.Add("AUTH_PROMPT", True)
Response.StatusCode = 401
End If
End If

[Jim Cheshire [MSFT]]

Hi Will,

Have you looked at Forms authentication? That might be a better choice for
you.

You might be able to stop the second prompt by adding a Response.End after
returning a 401. I'd have to trace it with Netmon to be sure why that's
happening.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
ASP.NET Developer Support
[email]jamesche@online.microsoft.com[/email]

This post is provided "AS-IS" with no warranties and confers no rights.


--------------------
| From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
| Subject: Windows Authentication Timeout
| Date: Wed, 10 Nov 2004 09:16:27 -0600
| Lines: 51
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 192.173.33.42
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFT NGP08.phx.gbl!tk2msftngp13
..phx.gbl
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.security: 12219
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| I have been working on trying to enforce a "timeout" on Windows Integrated
| Authentication.
| Basically I want the aspx page to force the "authenticated" user to
re-enter
| their credentials if it has been longer than 3 minutes since their last
page
| request.
|
| Another individual had suggested adding a value to the Session object, and
| setting the page timeout to 3 minutes.
| Then, if that value is not present in the Session Object, just return a
| Response.StatusCode of "401" to force the browser to "re-authenticate".
|
| I "kinda" got that working, but now the browser is asking for credentials
| Twice on the First page request. Then all subsequent requests (after 3
| minutes) are only prompting once.
|
| Can anyone help me get this figured out. I'm pretty close, I just need
help
| in keeping the First Request from prompting Twice for credentials...
|
|
| This code is at the top of the Page_Load() method of the page I want to
| secure:
|
| 'Set the Session Timeout to 3 mins:
| Session.Timeout = 3
| 'See if the User.Identity object is already in the Session (means
it
| hasn't "timed-out"):
| If context.Session.Item("USEROBJ") Is Nothing Then
| 'If New session, then See if they have already been prompted
for
| creds:
| If context.Session.Item("AUTH_PROMPT") = True Then
| If context.User.Identity.IsAuthenticated Then
| 'If they have already been prompted and passed
| authentication,
| 'Then add the User.Identity to the Session:
| context.Session.Add("USEROBJ", context.User.Identity)
| Else
| 'Otherwise, respond with "401" to prompt for Creds
| again:
| Response.StatusCode = 401
| End If
| Else
| 'Since this is a new Session, and they haven't been
prompted
| for creds (as far as I know),
| 'Then add the "AUTH_PROMPT" flag to the Session, and
respond
| with "401":
| context.Session.Add("AUTH_PROMPT", True)
| Response.StatusCode = 401
| End If
| End If
|
|
|

[Will Gillen]

Yes, I have looked at Forms Authentication, the problem is that I wanted to
take advantage of Windows AD Groups and Permissions. I already have the
application written to that standard, and now I have to go back and add a
whole bunch of logic to handle Forms based authentication, figure out what
groups have permission to what resources and add that information to the
Web.Config file, and basically "unsecure" portions of my website by allowing
"anyonymous" access to the ASPX resources so that FormsAuthentication will
work. All that, just so I can have an authentication timeout?

I believe that the reason they are prompted twice on the first request is
because IIS first prompts the client, then my VB code in .NET prompts the
client (because it has no idea that the person was already prompted).

To me, it seems that the primary problem (for me in this instance) is that
either IIS or the browser is "caching" the credentials of the client, and
those credentials are being "re-used" on subsequent requests to the
resource.

If only there were some way to programmatically configure how long either
IIS or the browser can "cache" the credentials (if that is what is
happening)......

-- Will Gillen



"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
news:%23X74PrzxEHA.3640@cpmsftngxa10.phx.gbl...

> Hi Will,
>
> Have you looked at Forms authentication? That might be a better choice

for

> you.
>
> You might be able to stop the second prompt by adding a Response.End after
> returning a 401. I'd have to trace it with Netmon to be sure why that's
> happening.
>
> Jim Cheshire [MSFT]
> MCP+I, MCSE, MCSD, MCDBA
> ASP.NET Developer Support
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided "AS-IS" with no warranties and confers no rights.
>
>
> --------------------
> | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
> | Subject: Windows Authentication Timeout
> | Date: Wed, 10 Nov 2004 09:16:27 -0600
> | Lines: 51
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> | Message-ID: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: 192.173.33.42
> | Path:
>

cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFT NGP08.phx.gbl!tk2msftngp13

> phx.gbl
> | Xref: cpmsftngxa10.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security: 12219
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | I have been working on trying to enforce a "timeout" on Windows

Integrated

> | Authentication.
> | Basically I want the aspx page to force the "authenticated" user to
> re-enter
> | their credentials if it has been longer than 3 minutes since their last
> page
> | request.
> |
> | Another individual had suggested adding a value to the Session object,

and

> | setting the page timeout to 3 minutes.
> | Then, if that value is not present in the Session Object, just return a
> | Response.StatusCode of "401" to force the browser to "re-authenticate".
> |
> | I "kinda" got that working, but now the browser is asking for

credentials

> | Twice on the First page request. Then all subsequent requests (after 3
> | minutes) are only prompting once.
> |
> | Can anyone help me get this figured out. I'm pretty close, I just need
> help
> | in keeping the First Request from prompting Twice for credentials...
> |
> |
> | This code is at the top of the Page_Load() method of the page I want to
> | secure:
> |
> | 'Set the Session Timeout to 3 mins:
> | Session.Timeout = 3
> | 'See if the User.Identity object is already in the Session

(means

> it
> | hasn't "timed-out"):
> | If context.Session.Item("USEROBJ") Is Nothing Then
> | 'If New session, then See if they have already been prompted
> for
> | creds:
> | If context.Session.Item("AUTH_PROMPT") = True Then
> | If context.User.Identity.IsAuthenticated Then
> | 'If they have already been prompted and passed
> | authentication,
> | 'Then add the User.Identity to the Session:
> | context.Session.Add("USEROBJ",

context.User.Identity)

> | Else
> | 'Otherwise, respond with "401" to prompt for Creds
> | again:
> | Response.StatusCode = 401
> | End If
> | Else
> | 'Since this is a new Session, and they haven't been
> prompted
> | for creds (as far as I know),
> | 'Then add the "AUTH_PROMPT" flag to the Session, and
> respond
> | with "401":
> | context.Session.Add("AUTH_PROMPT", True)
> | Response.StatusCode = 401
> | End If
> | End If
> |
> |
> |
>

[Jim Cheshire [MSFT]]

Will,

If you want to force the cached credentials in Internet Explorer to expire,
the best method is to use an ActiveX control that calls InternetSetOption.
Here's an article:

[url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;195192[/url]

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
ASP.NET Developer Support
[email]jamesche@online.microsoft.com[/email]

This post is provided "AS-IS" with no warranties and confers no rights.


--------------------
| From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
| References: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
<#X74PrzxEHA.3640@cpmsftngxa10.phx.gbl>
| Subject: Re: Windows Authentication Timeout
| Date: Wed, 10 Nov 2004 11:00:22 -0600
| Lines: 133
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <uvIhHb0xEHA.3096@TK2MSFTNGP14.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 192.173.33.42
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftn gxa06.phx.gbl!TK2MSFTNGP08
.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.security: 12227
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Yes, I have looked at Forms Authentication, the problem is that I wanted
to
| take advantage of Windows AD Groups and Permissions. I already have the
| application written to that standard, and now I have to go back and add a
| whole bunch of logic to handle Forms based authentication, figure out what
| groups have permission to what resources and add that information to the
| Web.Config file, and basically "unsecure" portions of my website by
allowing
| "anyonymous" access to the ASPX resources so that FormsAuthentication will
| work. All that, just so I can have an authentication timeout?
|
| I believe that the reason they are prompted twice on the first request is
| because IIS first prompts the client, then my VB code in .NET prompts the
| client (because it has no idea that the person was already prompted).
|
| To me, it seems that the primary problem (for me in this instance) is that
| either IIS or the browser is "caching" the credentials of the client, and
| those credentials are being "re-used" on subsequent requests to the
| resource.
|
| If only there were some way to programmatically configure how long either
| IIS or the browser can "cache" the credentials (if that is what is
| happening)......
|
| -- Will Gillen
|
|
|
| "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
| news:%23X74PrzxEHA.3640@cpmsftngxa10.phx.gbl...
| > Hi Will,
| >
| > Have you looked at Forms authentication? That might be a better choice
| for
| > you.
| >
| > You might be able to stop the second prompt by adding a Response.End
after
| > returning a 401. I'd have to trace it with Netmon to be sure why that's
| > happening.
| >
| > Jim Cheshire [MSFT]
| > MCP+I, MCSE, MCSD, MCDBA
| > ASP.NET Developer Support
| > [email]jamesche@online.microsoft.com[/email]
| >
| > This post is provided "AS-IS" with no warranties and confers no rights.
| >
| >
| > --------------------
| > | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
| > | Subject: Windows Authentication Timeout
| > | Date: Wed, 10 Nov 2004 09:16:27 -0600
| > | Lines: 51
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| > | Message-ID: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: 192.173.33.42
| > | Path:
| >
|
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFT NGP08.phx.gbl!tk2msftngp13
| > phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.security: 12219
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | I have been working on trying to enforce a "timeout" on Windows
| Integrated
| > | Authentication.
| > | Basically I want the aspx page to force the "authenticated" user to
| > re-enter
| > | their credentials if it has been longer than 3 minutes since their
last
| > page
| > | request.
| > |
| > | Another individual had suggested adding a value to the Session object,
| and
| > | setting the page timeout to 3 minutes.
| > | Then, if that value is not present in the Session Object, just return
a
| > | Response.StatusCode of "401" to force the browser to
"re-authenticate".
| > |
| > | I "kinda" got that working, but now the browser is asking for
| credentials
| > | Twice on the First page request. Then all subsequent requests (after
3
| > | minutes) are only prompting once.
| > |
| > | Can anyone help me get this figured out. I'm pretty close, I just
need
| > help
| > | in keeping the First Request from prompting Twice for credentials...
| > |
| > |
| > | This code is at the top of the Page_Load() method of the page I want
to
| > | secure:
| > |
| > | 'Set the Session Timeout to 3 mins:
| > | Session.Timeout = 3
| > | 'See if the User.Identity object is already in the Session
| (means
| > it
| > | hasn't "timed-out"):
| > | If context.Session.Item("USEROBJ") Is Nothing Then
| > | 'If New session, then See if they have already been
prompted
| > for
| > | creds:
| > | If context.Session.Item("AUTH_PROMPT") = True Then
| > | If context.User.Identity.IsAuthenticated Then
| > | 'If they have already been prompted and passed
| > | authentication,
| > | 'Then add the User.Identity to the Session:
| > | context.Session.Add("USEROBJ",
| context.User.Identity)
| > | Else
| > | 'Otherwise, respond with "401" to prompt for Creds
| > | again:
| > | Response.StatusCode = 401
| > | End If
| > | Else
| > | 'Since this is a new Session, and they haven't been
| > prompted
| > | for creds (as far as I know),
| > | 'Then add the "AUTH_PROMPT" flag to the Session, and
| > respond
| > | with "401":
| > | context.Session.Add("AUTH_PROMPT", True)
| > | Response.StatusCode = 401
| > | End If
| > | End If
| > |
| > |
| > |
| >
|
|
|

[Will Gillen]

Forget it.
I'll just rewrite it to use FormsAuthentication.

-- Will G.


"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
news:FPSnQ80xEHA.768@cpmsftngxa10.phx.gbl...

> Will,
>
> If you want to force the cached credentials in Internet Explorer to

expire,

> the best method is to use an ActiveX control that calls InternetSetOption.
> Here's an article:
>
> [url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;195192[/url]
>
> Jim Cheshire [MSFT]
> MCP+I, MCSE, MCSD, MCDBA
> ASP.NET Developer Support
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided "AS-IS" with no warranties and confers no rights.
>
>
> --------------------
> | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
> | References: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
> <#X74PrzxEHA.3640@cpmsftngxa10.phx.gbl>
> | Subject: Re: Windows Authentication Timeout
> | Date: Wed, 10 Nov 2004 11:00:22 -0600
> | Lines: 133
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> | Message-ID: <uvIhHb0xEHA.3096@TK2MSFTNGP14.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: 192.173.33.42
> | Path:
>

cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftn gxa06.phx.gbl!TK2MSFTNGP08

> phx.gbl!TK2MSFTNGP14.phx.gbl
> | Xref: cpmsftngxa10.phx.gbl
> microsoft.public.dotnet.framework.aspnet.security: 12227
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | Yes, I have looked at Forms Authentication, the problem is that I wanted
> to
> | take advantage of Windows AD Groups and Permissions. I already have the
> | application written to that standard, and now I have to go back and add

a

> | whole bunch of logic to handle Forms based authentication, figure out

what

> | groups have permission to what resources and add that information to the
> | Web.Config file, and basically "unsecure" portions of my website by
> allowing
> | "anyonymous" access to the ASPX resources so that FormsAuthentication

will

> | work. All that, just so I can have an authentication timeout?
> |
> | I believe that the reason they are prompted twice on the first request

is

> | because IIS first prompts the client, then my VB code in .NET prompts

the

> | client (because it has no idea that the person was already prompted).
> |
> | To me, it seems that the primary problem (for me in this instance) is

that

> | either IIS or the browser is "caching" the credentials of the client,

and

> | those credentials are being "re-used" on subsequent requests to the
> | resource.
> |
> | If only there were some way to programmatically configure how long

either

> | IIS or the browser can "cache" the credentials (if that is what is
> | happening)......
> |
> | -- Will Gillen
> |
> |
> |
> | "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
> | news:%23X74PrzxEHA.3640@cpmsftngxa10.phx.gbl...
> | > Hi Will,
> | >
> | > Have you looked at Forms authentication? That might be a better

choice

> | for
> | > you.
> | >
> | > You might be able to stop the second prompt by adding a Response.End
> after
> | > returning a 401. I'd have to trace it with Netmon to be sure why

that's

> | > happening.
> | >
> | > Jim Cheshire [MSFT]
> | > MCP+I, MCSE, MCSD, MCDBA
> | > ASP.NET Developer Support
> | > [email]jamesche@online.microsoft.com[/email]
> | >
> | > This post is provided "AS-IS" with no warranties and confers no

rights.

> | >
> | >
> | > --------------------
> | > | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
> | > | Subject: Windows Authentication Timeout
> | > | Date: Wed, 10 Nov 2004 09:16:27 -0600
> | > | Lines: 51
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> | > | Message-ID: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | > | NNTP-Posting-Host: 192.173.33.42
> | > | Path:
> | >
> |
>

cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFT NGP08.phx.gbl!tk2msftngp13

> | > phx.gbl
> | > | Xref: cpmsftngxa10.phx.gbl
> | > microsoft.public.dotnet.framework.aspnet.security: 12219
> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> | > |
> | > | I have been working on trying to enforce a "timeout" on Windows
> | Integrated
> | > | Authentication.
> | > | Basically I want the aspx page to force the "authenticated" user to
> | > re-enter
> | > | their credentials if it has been longer than 3 minutes since their
> last
> | > page
> | > | request.
> | > |
> | > | Another individual had suggested adding a value to the Session

object,

> | and
> | > | setting the page timeout to 3 minutes.
> | > | Then, if that value is not present in the Session Object, just

return

> a
> | > | Response.StatusCode of "401" to force the browser to
> "re-authenticate".
> | > |
> | > | I "kinda" got that working, but now the browser is asking for
> | credentials
> | > | Twice on the First page request. Then all subsequent requests

(after

> 3
> | > | minutes) are only prompting once.
> | > |
> | > | Can anyone help me get this figured out. I'm pretty close, I just
> need
> | > help
> | > | in keeping the First Request from prompting Twice for credentials...
> | > |
> | > |
> | > | This code is at the top of the Page_Load() method of the page I want
> to
> | > | secure:
> | > |
> | > | 'Set the Session Timeout to 3 mins:
> | > | Session.Timeout = 3
> | > | 'See if the User.Identity object is already in the Session
> | (means
> | > it
> | > | hasn't "timed-out"):
> | > | If context.Session.Item("USEROBJ") Is Nothing Then
> | > | 'If New session, then See if they have already been
> prompted
> | > for
> | > | creds:
> | > | If context.Session.Item("AUTH_PROMPT") = True Then
> | > | If context.User.Identity.IsAuthenticated Then
> | > | 'If they have already been prompted and passed
> | > | authentication,
> | > | 'Then add the User.Identity to the Session:
> | > | context.Session.Add("USEROBJ",
> | context.User.Identity)
> | > | Else
> | > | 'Otherwise, respond with "401" to prompt for

Creds

> | > | again:
> | > | Response.StatusCode = 401
> | > | End If
> | > | Else
> | > | 'Since this is a new Session, and they haven't been
> | > prompted
> | > | for creds (as far as I know),
> | > | 'Then add the "AUTH_PROMPT" flag to the Session, and
> | > respond
> | > | with "401":
> | > | context.Session.Add("AUTH_PROMPT", True)
> | > | Response.StatusCode = 401
> | > | End If
> | > | End If
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>

[Joe Kaplan \(MVP - ADSI\)]

You might also be able to do something like set a cookie or session variable
when your timeout is reached and redirect to an error page whenever the user
has that flag. The page would just instruct them to close the browser.

The problem is that with Windows auth, the browser caches those credentials
and wants to send them if it has them, so you are trying to fight a client
behavior with a server solution.

Joe K.

"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:O$2%23991xEHA.1564@TK2MSFTNGP09.phx.gbl...

> Forget it.
> I'll just rewrite it to use FormsAuthentication.
>
> -- Will G.
>
>
> "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
> news:FPSnQ80xEHA.768@cpmsftngxa10.phx.gbl...

>> Will,
>>
>> If you want to force the cached credentials in Internet Explorer to

> expire,

>> the best method is to use an ActiveX control that calls
>> InternetSetOption.
>> Here's an article:
>>
>> [url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;195192[/url]
>>
>> Jim Cheshire [MSFT]
>> MCP+I, MCSE, MCSD, MCDBA
>> ASP.NET Developer Support
>> [email]jamesche@online.microsoft.com[/email]
>>
>> This post is provided "AS-IS" with no warranties and confers no rights.
>>
>>
>> --------------------
>> | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
>> | References: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
>> <#X74PrzxEHA.3640@cpmsftngxa10.phx.gbl>
>> | Subject: Re: Windows Authentication Timeout
>> | Date: Wed, 10 Nov 2004 11:00:22 -0600
>> | Lines: 133
>> | X-Priority: 3
>> | X-MSMail-Priority: Normal
>> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>> | Message-ID: <uvIhHb0xEHA.3096@TK2MSFTNGP14.phx.gbl>
>> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> | NNTP-Posting-Host: 192.173.33.42
>> | Path:
>>

> cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftn gxa06.phx.gbl!TK2MSFTNGP08

>> phx.gbl!TK2MSFTNGP14.phx.gbl
>> | Xref: cpmsftngxa10.phx.gbl
>> microsoft.public.dotnet.framework.aspnet.security: 12227
>> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> |
>> | Yes, I have looked at Forms Authentication, the problem is that I
>> wanted
>> to
>> | take advantage of Windows AD Groups and Permissions. I already have
>> the
>> | application written to that standard, and now I have to go back and add

> a

>> | whole bunch of logic to handle Forms based authentication, figure out

> what

>> | groups have permission to what resources and add that information to
>> the
>> | Web.Config file, and basically "unsecure" portions of my website by
>> allowing
>> | "anyonymous" access to the ASPX resources so that FormsAuthentication

> will

>> | work. All that, just so I can have an authentication timeout?
>> |
>> | I believe that the reason they are prompted twice on the first request

> is

>> | because IIS first prompts the client, then my VB code in .NET prompts

> the

>> | client (because it has no idea that the person was already prompted).
>> |
>> | To me, it seems that the primary problem (for me in this instance) is

> that

>> | either IIS or the browser is "caching" the credentials of the client,

> and

>> | those credentials are being "re-used" on subsequent requests to the
>> | resource.
>> |
>> | If only there were some way to programmatically configure how long

> either

>> | IIS or the browser can "cache" the credentials (if that is what is
>> | happening)......
>> |
>> | -- Will Gillen
>> |
>> |
>> |
>> | "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
>> | news:%23X74PrzxEHA.3640@cpmsftngxa10.phx.gbl...
>> | > Hi Will,
>> | >
>> | > Have you looked at Forms authentication? That might be a better

> choice

>> | for
>> | > you.
>> | >
>> | > You might be able to stop the second prompt by adding a Response.End
>> after
>> | > returning a 401. I'd have to trace it with Netmon to be sure why

> that's

>> | > happening.
>> | >
>> | > Jim Cheshire [MSFT]
>> | > MCP+I, MCSE, MCSD, MCDBA
>> | > ASP.NET Developer Support
>> | > [email]jamesche@online.microsoft.com[/email]
>> | >
>> | > This post is provided "AS-IS" with no warranties and confers no

> rights.

>> | >
>> | >
>> | > --------------------
>> | > | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
>> | > | Subject: Windows Authentication Timeout
>> | > | Date: Wed, 10 Nov 2004 09:16:27 -0600
>> | > | Lines: 51
>> | > | X-Priority: 3
>> | > | X-MSMail-Priority: Normal
>> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>> | > | Message-ID: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
>> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> | > | NNTP-Posting-Host: 192.173.33.42
>> | > | Path:
>> | >
>> |
>>

> cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFT NGP08.phx.gbl!tk2msftngp13

>> | > phx.gbl
>> | > | Xref: cpmsftngxa10.phx.gbl
>> | > microsoft.public.dotnet.framework.aspnet.security: 12219
>> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> | > |
>> | > | I have been working on trying to enforce a "timeout" on Windows
>> | Integrated
>> | > | Authentication.
>> | > | Basically I want the aspx page to force the "authenticated" user to
>> | > re-enter
>> | > | their credentials if it has been longer than 3 minutes since their
>> last
>> | > page
>> | > | request.
>> | > |
>> | > | Another individual had suggested adding a value to the Session

> object,

>> | and
>> | > | setting the page timeout to 3 minutes.
>> | > | Then, if that value is not present in the Session Object, just

> return

>> a
>> | > | Response.StatusCode of "401" to force the browser to
>> "re-authenticate".
>> | > |
>> | > | I "kinda" got that working, but now the browser is asking for
>> | credentials
>> | > | Twice on the First page request. Then all subsequent requests

> (after

>> 3
>> | > | minutes) are only prompting once.
>> | > |
>> | > | Can anyone help me get this figured out. I'm pretty close, I just
>> need
>> | > help
>> | > | in keeping the First Request from prompting Twice for
>> credentials...
>> | > |
>> | > |
>> | > | This code is at the top of the Page_Load() method of the page I
>> want
>> to
>> | > | secure:
>> | > |
>> | > | 'Set the Session Timeout to 3 mins:
>> | > | Session.Timeout = 3
>> | > | 'See if the User.Identity object is already in the Session
>> | (means
>> | > it
>> | > | hasn't "timed-out"):
>> | > | If context.Session.Item("USEROBJ") Is Nothing Then
>> | > | 'If New session, then See if they have already been
>> prompted
>> | > for
>> | > | creds:
>> | > | If context.Session.Item("AUTH_PROMPT") = True Then
>> | > | If context.User.Identity.IsAuthenticated Then
>> | > | 'If they have already been prompted and passed
>> | > | authentication,
>> | > | 'Then add the User.Identity to the Session:
>> | > | context.Session.Add("USEROBJ",
>> | context.User.Identity)
>> | > | Else
>> | > | 'Otherwise, respond with "401" to prompt for

> Creds

>> | > | again:
>> | > | Response.StatusCode = 401
>> | > | End If
>> | > | Else
>> | > | 'Since this is a new Session, and they haven't been
>> | > prompted
>> | > | for creds (as far as I know),
>> | > | 'Then add the "AUTH_PROMPT" flag to the Session,
>> and
>> | > respond
>> | > | with "401":
>> | > | context.Session.Add("AUTH_PROMPT", True)
>> | > | Response.StatusCode = 401
>> | > | End If
>> | > | End If
>> | > |
>> | > |
>> | > |
>> | >
>> |
>> |
>> |
>>

>
>

[Jim Cheshire [MSFT]]

That's what you should do. That's what Forms authentication was designed
to handle. The other information I've provided to you will resolve your
issue as well, but you don't seem interested so I'd go the Forms auth route.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
ASP.NET Developer Support
[email]jamesche@online.microsoft.com[/email]

This post is provided "AS-IS" with no warranties and confers no rights.


--------------------
| From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
| References: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
<#X74PrzxEHA.3640@cpmsftngxa10.phx.gbl>
<uvIhHb0xEHA.3096@TK2MSFTNGP14.phx.gbl>
<FPSnQ80xEHA.768@cpmsftngxa10.phx.gbl>
| Subject: Re: Windows Authentication Timeout
| Date: Wed, 10 Nov 2004 13:57:27 -0600
| Lines: 211
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <O$2#991xEHA.1564@TK2MSFTNGP09.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 192.173.33.42
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFT NGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.security: 12231
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Forget it.
| I'll just rewrite it to use FormsAuthentication.
|
| -- Will G.
|
|
| "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
| news:FPSnQ80xEHA.768@cpmsftngxa10.phx.gbl...
| > Will,
| >
| > If you want to force the cached credentials in Internet Explorer to
| expire,
| > the best method is to use an ActiveX control that calls
InternetSetOption.
| > Here's an article:
| >
| > [url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;195192[/url]
| >
| > Jim Cheshire [MSFT]
| > MCP+I, MCSE, MCSD, MCDBA
| > ASP.NET Developer Support
| > [email]jamesche@online.microsoft.com[/email]
| >
| > This post is provided "AS-IS" with no warranties and confers no rights.
| >
| >
| > --------------------
| > | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
| > | References: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
| > <#X74PrzxEHA.3640@cpmsftngxa10.phx.gbl>
| > | Subject: Re: Windows Authentication Timeout
| > | Date: Wed, 10 Nov 2004 11:00:22 -0600
| > | Lines: 133
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| > | Message-ID: <uvIhHb0xEHA.3096@TK2MSFTNGP14.phx.gbl>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | NNTP-Posting-Host: 192.173.33.42
| > | Path:
| >
|
cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftn gxa06.phx.gbl!TK2MSFTNGP08
| > phx.gbl!TK2MSFTNGP14.phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.security: 12227
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > |
| > | Yes, I have looked at Forms Authentication, the problem is that I
wanted
| > to
| > | take advantage of Windows AD Groups and Permissions. I already have
the
| > | application written to that standard, and now I have to go back and
add
| a
| > | whole bunch of logic to handle Forms based authentication, figure out
| what
| > | groups have permission to what resources and add that information to
the
| > | Web.Config file, and basically "unsecure" portions of my website by
| > allowing
| > | "anyonymous" access to the ASPX resources so that FormsAuthentication
| will
| > | work. All that, just so I can have an authentication timeout?
| > |
| > | I believe that the reason they are prompted twice on the first request
| is
| > | because IIS first prompts the client, then my VB code in .NET prompts
| the
| > | client (because it has no idea that the person was already prompted).
| > |
| > | To me, it seems that the primary problem (for me in this instance) is
| that
| > | either IIS or the browser is "caching" the credentials of the client,
| and
| > | those credentials are being "re-used" on subsequent requests to the
| > | resource.
| > |
| > | If only there were some way to programmatically configure how long
| either
| > | IIS or the browser can "cache" the credentials (if that is what is
| > | happening)......
| > |
| > | -- Will Gillen
| > |
| > |
| > |
| > | "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
| > | news:%23X74PrzxEHA.3640@cpmsftngxa10.phx.gbl...
| > | > Hi Will,
| > | >
| > | > Have you looked at Forms authentication? That might be a better
| choice
| > | for
| > | > you.
| > | >
| > | > You might be able to stop the second prompt by adding a Response.End
| > after
| > | > returning a 401. I'd have to trace it with Netmon to be sure why
| that's
| > | > happening.
| > | >
| > | > Jim Cheshire [MSFT]
| > | > MCP+I, MCSE, MCSD, MCDBA
| > | > ASP.NET Developer Support
| > | > [email]jamesche@online.microsoft.com[/email]
| > | >
| > | > This post is provided "AS-IS" with no warranties and confers no
| rights.
| > | >
| > | >
| > | > --------------------
| > | > | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
| > | > | Subject: Windows Authentication Timeout
| > | > | Date: Wed, 10 Nov 2004 09:16:27 -0600
| > | > | Lines: 51
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| > | > | Message-ID: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
| > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| > | > | NNTP-Posting-Host: 192.173.33.42
| > | > | Path:
| > | >
| > |
| >
|
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFT NGP08.phx.gbl!tk2msftngp13
| > | > phx.gbl
| > | > | Xref: cpmsftngxa10.phx.gbl
| > | > microsoft.public.dotnet.framework.aspnet.security: 12219
| > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| > | > |
| > | > | I have been working on trying to enforce a "timeout" on Windows
| > | Integrated
| > | > | Authentication.
| > | > | Basically I want the aspx page to force the "authenticated" user
to
| > | > re-enter
| > | > | their credentials if it has been longer than 3 minutes since their
| > last
| > | > page
| > | > | request.
| > | > |
| > | > | Another individual had suggested adding a value to the Session
| object,
| > | and
| > | > | setting the page timeout to 3 minutes.
| > | > | Then, if that value is not present in the Session Object, just
| return
| > a
| > | > | Response.StatusCode of "401" to force the browser to
| > "re-authenticate".
| > | > |
| > | > | I "kinda" got that working, but now the browser is asking for
| > | credentials
| > | > | Twice on the First page request. Then all subsequent requests
| (after
| > 3
| > | > | minutes) are only prompting once.
| > | > |
| > | > | Can anyone help me get this figured out. I'm pretty close, I just
| > need
| > | > help
| > | > | in keeping the First Request from prompting Twice for
credentials...
| > | > |
| > | > |
| > | > | This code is at the top of the Page_Load() method of the page I
want
| > to
| > | > | secure:
| > | > |
| > | > | 'Set the Session Timeout to 3 mins:
| > | > | Session.Timeout = 3
| > | > | 'See if the User.Identity object is already in the Session
| > | (means
| > | > it
| > | > | hasn't "timed-out"):
| > | > | If context.Session.Item("USEROBJ") Is Nothing Then
| > | > | 'If New session, then See if they have already been
| > prompted
| > | > for
| > | > | creds:
| > | > | If context.Session.Item("AUTH_PROMPT") = True Then
| > | > | If context.User.Identity.IsAuthenticated Then
| > | > | 'If they have already been prompted and passed
| > | > | authentication,
| > | > | 'Then add the User.Identity to the Session:
| > | > | context.Session.Add("USEROBJ",
| > | context.User.Identity)
| > | > | Else
| > | > | 'Otherwise, respond with "401" to prompt for
| Creds
| > | > | again:
| > | > | Response.StatusCode = 401
| > | > | End If
| > | > | Else
| > | > | 'Since this is a new Session, and they haven't
been
| > | > prompted
| > | > | for creds (as far as I know),
| > | > | 'Then add the "AUTH_PROMPT" flag to the Session,
and
| > | > respond
| > | > | with "401":
| > | > | context.Session.Add("AUTH_PROMPT", True)
| > | > | Response.StatusCode = 401
| > | > | End If
| > | > | End If
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|

[Marc Lawson]

Sorry Jim, but writing a client-side ActiveX control is not really a
viable solution.


[email]jamesche@online.microsoft.com[/email] (Jim Cheshire [MSFT]) wrote in message news:<biYCG$3xEHA.764@cpmsftngxa10.phx.gbl>...

> That's what you should do. That's what Forms authentication was designed
> to handle. The other information I've provided to you will resolve your
> issue as well, but you don't seem interested so I'd go the Forms auth route.
>
> Jim Cheshire [MSFT]
> MCP+I, MCSE, MCSD, MCDBA
> ASP.NET Developer Support
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided "AS-IS" with no warranties and confers no rights.
>

[Jim Cheshire [MSFT]]

Hi Marc,

If you want to force IE to clear the credential cache, that's the only way
to do it, viable or not. :)

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
ASP.NET Developer Support
[email]jamesche@online.microsoft.com[/email]

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------
| From: [email]mlawson@relico.com[/email] (Marc Lawson)
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| Subject: Re: Windows Authentication Timeout
| Date: 16 Nov 2004 07:53:37 -0800
| Organization: [url]http://groups.google.com[/url]
| Lines: 16
| Message-ID: <dc4150b2.0411160753.4ea2dac5@posting.google.com >
| References: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
<#X74PrzxEHA.3640@cpmsftngxa10.phx.gbl>
<uvIhHb0xEHA.3096@TK2MSFTNGP14.phx.gbl>
<FPSnQ80xEHA.768@cpmsftngxa10.phx.gbl>
<O$2#991xEHA.1564@TK2MSFTNGP09.phx.gbl>
<biYCG$3xEHA.764@cpmsftngxa10.phx.gbl>
| NNTP-Posting-Host: 66.114.237.220
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1100620417 24538 127.0.0.1 (16 Nov 2004
15:53:37 GMT)
| X-Complaints-To: [email]groups-abuse@google.com[/email]
| NNTP-Posting-Date: Tue, 16 Nov 2004 15:53:37 +0000 (UTC)
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFT NGP08.phx.gbl!newsfeed00.s
ul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!not-for-mail
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.security: 12288
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
|
| Sorry Jim, but writing a client-side ActiveX control is not really a
| viable solution.
|
|
| [email]jamesche@online.microsoft.com[/email] (Jim Cheshire [MSFT]) wrote in message
news:<biYCG$3xEHA.764@cpmsftngxa10.phx.gbl>...
| > That's what you should do. That's what Forms authentication was
designed
| > to handle. The other information I've provided to you will resolve
your
| > issue as well, but you don't seem interested so I'd go the Forms auth
route.
| >
| > Jim Cheshire [MSFT]
| > MCP+I, MCSE, MCSD, MCDBA
| > ASP.NET Developer Support
| > [email]jamesche@online.microsoft.com[/email]
| >
| > This post is provided "AS-IS" with no warranties and confers no rights.
| >
|