Hi Aaron, Basic authentication is a very primitive kind of authentication. If your applications are using it, make sure that all of those applications are behind an HTTPS connection. Here's a quick primer on basic authn: http://en.wikipedia.org/wiki/Basic_access_authentication
What OS and/or IIS version are you running (<=2003 or >= 2008)? Is ASP.NET installed on your web server? Do you know which versions (check c:\windows\microsoft.net\framework for v2.0.50727, v4.0.30319)? Also, what applications are you using? Applications written against the ASP.NET authentication subsystem should be switchable to CAS authentication fairly easily without requiring access to the source code (just web.config changes). Applications written in other languages or commercial/closed source applications generally have the ability to swap out authentication mechanisms somehow, but the approach for doing it varies by product. Someone on the list may have some experience CASifying some of the applications you are using. -Scott From: Chantrill, Aaron [mailto:[email protected]] Sent: Wednesday, January 19, 2011 2:52 PM To: [email protected] Subject: [cas-user] CAS and IIS Basic Authentication I have a number of applications that rely on IIS Basic Authentication, where the username and password are stored in the webbrowser and passed to the webserver upon every request to a Basic Authentication protected page. I don't know the exact mechanism that is being used, or how the browser knows that the page uses basic authentication, but it seems to. Is there a simple way, and if so then could someone point me to some documentation on how to CASify this sort of application. When I have searched for "CAS Basic Authentication" online, I find a lot of information about using the ASP.NET client with non-ASP.NET applications. It seems like what would have to happen would somehow in the CAS login process, a request containing the username and password would have to be sent from the web browser to a basic authentication page on the application's webserver directly after logging in. Certainly not an easy thing for me to imagine in the middle of a sign-on transaction, and seems like it would require an extra iframe or popup window or something to make the extra call to the external server. So is there a stand way to do this? It would be nice, as otherwise my users will simply have to continue to authenticate against the other application servers as I don't have the source code or any other way of cassifying them. Thanks, Aaron -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
