TUCoPS :: Web :: IIS :: bt65.txt

Microsoft IIS Integrated Authentication 




Microsoft's IIS server allows for an integrated authentication method 

which allows users within an intranet environment to sign-on 

automatically with "pass-through authentication" to servers set for 

Integrated Windows Authentication. This works if users are logged into a 

workstation in the same domain with the intranet server they are 

accessing. In this system, the user's current logon credentials on their 

workstation are compared to the server-retrieved credentials for the 

user. If the hashes match and the user has rights to the directory, they 

are in without a password prompt. The following article provides 

additional details:



http://msdn.microsoft.com/library/default.asp?url=/library/en-

us/comsrv2k/htm/cs_gs_security_xmky.asp



According to the Microsoft documentation, the only way for a user from 

another domain to be able to use this method is for the two domains to be 

trusted in some way. I happen to have a multiple Windows 2000 Active 

Directory forest situation, and I found a way to get user credentials 

from a completely untrusted domain into a site protected by this system.



I have two separate Active Directory forests; one in an external network 

and one in an internal RFC1918 network. There are two different DNS 

domains (matching the AD domain names) for these networks, one public and 

one internal. Both forests have the same NetBIOS name. The NetBIOS domain 

name is used in the Integrated Windows Authentication method as the user 

ID prefix - <domain>\<user ID>. I placed a set of user credentials in 

both domains with matching ID (sAMAccountName) and password. I placed a 

test IIS Web server protected with Integrated Windows Authentication in 

the internal network domain. I configured an IE Web browser on a client 

in the external domain with the internal site as a trusted site. I was 

then able to access the entire internal site from the external, non-

trusted workstation without a password prompt.



Now, the chances of a real-world exploit coming from this are slim. I 

would still have to fully compromise a user and password and gain network 

access to the protected resource. However, once these were accomplished, 

I could spoof a given user very easily and make it look like I was from a 

trusted domain.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH