13

I have to transfer my client from one website to another website. This happens in client side. In this 2nd website, its using windows basic authentication system. So It popups the login window. I need to omit this Popup window and authenticate my client on 2nd website using javascript and then redirect him to 2nd website. There is no security issue even I put credentials in javascript file since this whole system is running in Intranet. So How to authenticate client on 2nd website ?

I found this thread How can I pass windows authentication to webservice using jQuery?

But it does not work. When I look the request header of 2nd url, It does not contain the Authorization tag.

Community
  • 1
  • 1
Sency
  • 2,818
  • 8
  • 42
  • 59
  • Please post your code. At least the part that does the ajax call, since that is the point that is failing to add the header. – Hogan Aug 20 '11 at 18:02
  • 2
    If JS could get at the user's credentials and impersonate the user on another "domain" wouldn't that be a pretty significant security flaw? – anthony sottile Aug 20 '11 at 18:02
  • 3
    You can't do what you're asking for without using some sort of SSO (single sign-on solution), and that would require you control both websites. The jQuery link you showed is only good for hard-coding HTTP Basic authentication. NTLM is far more complex. Also, the jQuery example would only work through an AJAX request. You can't force the browser to send an Authentication header in normal requests. – Jesse Buchanan Aug 20 '11 at 19:29
  • And you can't use Windows Integrated authentication instead of basic? – aquinas Aug 27 '11 at 14:06
  • try this https://stackoverflow.com/questions/33257969/windows-ad-single-sign-on-using-javascript-and-node has a solution that doesn't even require any special configuration except writing the nodejs script and including the lib. It simply works. – Emmanuel Mahuni Feb 02 '20 at 04:27

3 Answers3

17

If it is basic authentication and you don't mind exposing the credential, why don't you simply insert username and password into the URL? For example:

http://username:password@www.domain.com

But if you have control over the Web server, you really should disable authentication for intranet connections.

cwallenpoole
  • 79,954
  • 26
  • 128
  • 166
William Niu
  • 15,798
  • 7
  • 53
  • 93
  • 1
    PLease note, that this trick will not work on Internet Explorer anymore, as Microsoft changed the default behavior some time ago for security reasons: http://support.microsoft.com/kb/834489 – Lars Aug 27 '11 at 16:39
  • From my testing this does not work if your password has values like @ / &. – Gram Jun 21 '16 at 20:35
4

If it is a Windows based intranet, I would not hassle with Javascript, but use the default NTLM-Authentication, as described in this thread. That way, you can provide a single-sign-on for any number of sites with the normal username and password of the users of your network. To quote my answer from the other thread:

It actually is possible with NTLM authentication. You need the AuthenNTLM-plugin, which will authenticate a user using the Internet Explorer. An example syntax would be

<Location />
    PerlAuthenHandler Apache::AuthenNTLM 
    AuthType ntlm,basic
    AuthName test
    require valid-user

    #                    domain             pdc                bdc
    PerlAddVar ntdomain "name_domain1   name_of_pdc1"
    PerlAddVar ntdomain "other_domain   pdc_for_domain    bdc_for_domain"

    PerlSetVar defaultdomain wingr1
    PerlSetVar ntlmdebug 1
</Location>
## taken from the documentation

Please refer to the module documentation for more options and specific instructions on the setup - the above should get you started in the right direction.

On the client side, Internet Explorer and Firefox should be able to login automatically after some configuration (Firefox needing a bit of special care - which may be achieved by setting the configuration variables during deployment).

Community
  • 1
  • 1
Lars
  • 5,757
  • 4
  • 25
  • 55
  • +1: That is very interesting to know. Does this work on IIS though? – William Niu Aug 27 '11 at 23:35
  • @Willium_Niu: Yes, you can, according to [this article](http://support.microsoft.com/kb/215383/). I do not have any experience on IIS to share, but looks even simpler than the one for apache (should be, as NTLM *comes* from Microsoft ;) ). – Lars Aug 29 '11 at 06:46
2

If this is Windows Authentication, then the response won't be prompting the client for credentials, the browser will be attempting to pass the credentials itself already. It does not quite work the way HTTP does -- you actually need to configure the browser itself to to have it send the authorization based on Windows credentials.

It does not appear that there is a simple JS solution to this at all.

cwallenpoole
  • 79,954
  • 26
  • 128
  • 166