RE: problems with NTUserFolder.
I'm a little confused over this.
From your previous mail I understood that jcNTUserFolder was to be used only behind IIS. It interpreted the REMOTE_USER var passed in after challenge/response authentication by IIS and made this into a Zope user. Now your talking about jcForceAuth and saying that users login using basic authentication with their NT username and password??????
Under what circumstances can you use challenge/response vs basic authentication?
-----Original Message----- From: CLAIN Jephte [mailto:minf7@educ.univ-reunion.fr] Sent: Saturday, May 27, 2000 12:19 AM To: Jay, Dylan Cc: 'zope@zope.org' Subject: Re: problems with NTUserFolder.
"Jay, Dylan" a écrit :
I see how it works now. I installed jcNTUSerFolder but couldn't get it to work. I thought it did the challenge response stuff for me. I didn't realize it had to go behind IIS. I'll give it a try. The challenge/response protocol authentication, as far as I know, is specific to microsoft. that's why you have to use IIS for example to do the authenticatio for you. I don't know of another browsers / ftp clients / mail clients that can perform that kind of authentication, beside those from microsoft (IE, Outlook, ...)
You may also have a look at http://www.zope.org/Members/jephte/jcForceAuth for a way to force users to authenticate. they have to identify themselves to browse the site, but at least they can use their own nt account/password. be warned though: passwords are sent unencrypted over the wire with basic authentication.
regards, jephte clain minf7@educ.univ-reunion.fr
"Jay, Dylan" a écrit :
I'm a little confused over this. From your previous mail I understood that jcNTUserFolder was to be used only behind IIS. It interpreted the REMOTE_USER var passed in after challenge/response authentication by IIS and made this into a Zope user. Now your talking about jcForceAuth and saying that users login using basic authentication with their NT username and password??????
Under what circumstances can you use challenge/response vs basic authentication?
My apologies for taking so long to respond. Our mail server had some problems... Well, Zope can do both authentication method (but not at the same time!): 'standard' basic authentication mode or 'remote user' authentication mode. It depends on the content of the access file. This is documented somewhere in Zope documentation. In basic authentication mode, the browser gives Zope the username and the password, and ask if it is correct. If Zope says 'no', the browser asks again until the user give the right username/password pair. Zope can only do the BASIC authentication. In remote user authentication mode, the web server on top of zope (apache or IIS, or whatever) *does* the authentication (it checks the username/password). Once the user is authenticated, the web server passes Zope the REMOTE_USER variable, which is the username of the authenticated user. My product is compatible with the two schemes. However, Zope is unable to do challenge/response authentication, so you have to put it under a web server that is capable of doing such authentication (ie, IIS). If you use my product with vanilla Zope, your users can still authenticate by using their nt username/password. This difference is: - behind IIS, Zope *always* get the user infos, and they are not aware of it. - vanilla zope does not brings the authentication dialog if content is anonymous, so your users can still browse the site while being anonymous. This is where my jcForceAuth product come in, because it ask the users to authenticate even if they view anonymous content. hope it's clear now. jephte clain minf7@educ.univ-reunion.fr ps: I don't speak/write english very well. So if the above is still unclear, perhaps someone on the list can better explain.
participants (2)
-
CLAIN Jephte -
Jay, Dylan