14

I have to transfer my client from one website to another website. This happens in client side. In this 2nd website, its using windows basic authentication system. So It popups the login window. I need to omit this Popup window and authenticate my client on 2nd website using javascript and then redirect him to 2nd website. There is no security issue even I put credentials in javascript file since this whole system is running in Intranet. So How to authenticate client on 2nd website ?

I found this thread How can I pass windows authentication to webservice using jQuery?

But it does not work. When I look the request header of 2nd url, It does not contain the Authorization tag.

Improve this question
5
  • Please post your code. At least the part that does the ajax call, since that is the point that is failing to add the header. Commented Aug 20, 2011 at 18:02
  • 2
    If JS could get at the user's credentials and impersonate the user on another "domain" wouldn't that be a pretty significant security flaw? Commented Aug 20, 2011 at 18:02
  • 3
    You can't do what you're asking for without using some sort of SSO (single sign-on solution), and that would require you control both websites. The jQuery link you showed is only good for hard-coding HTTP Basic authentication. NTLM is far more complex. Also, the jQuery example would only work through an AJAX request. You can't force the browser to send an Authentication header in normal requests. Commented Aug 20, 2011 at 19:29
  • And you can't use Windows Integrated authentication instead of basic? Commented Aug 27, 2011 at 14:06
  • try this stackoverflow.com/questions/33257969/… has a solution that doesn't even require any special configuration except writing the nodejs script and including the lib. It simply works. Commented Feb 2, 2020 at 4:27

3 Answers 3

Reset to default
18
+50

If it is basic authentication and you don't mind exposing the credential, why don't you simply insert username and password into the URL? For example:

http://username:[email protected]

But if you have control over the Web server, you really should disable authentication for intranet connections.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

PLease note, that this trick will not work on Internet Explorer anymore, as Microsoft changed the default behavior some time ago for security reasons: support.microsoft.com/kb/834489
From my testing this does not work if your password has values like @ / &.
4

If it is a Windows based intranet, I would not hassle with Javascript, but use the default NTLM-Authentication, as described in this thread. That way, you can provide a single-sign-on for any number of sites with the normal username and password of the users of your network. To quote my answer from the other thread:

It actually is possible with NTLM authentication. You need the AuthenNTLM-plugin, which will authenticate a user using the Internet Explorer. An example syntax would be

<Location />
    PerlAuthenHandler Apache::AuthenNTLM 
    AuthType ntlm,basic
    AuthName test
    require valid-user

    #                    domain             pdc                bdc
    PerlAddVar ntdomain "name_domain1   name_of_pdc1"
    PerlAddVar ntdomain "other_domain   pdc_for_domain    bdc_for_domain"

    PerlSetVar defaultdomain wingr1
    PerlSetVar ntlmdebug 1
</Location>
## taken from the documentation

Please refer to the module documentation for more options and specific instructions on the setup - the above should get you started in the right direction.

On the client side, Internet Explorer and Firefox should be able to login automatically after some configuration (Firefox needing a bit of special care - which may be achieved by setting the configuration variables during deployment).

Improve this answer

2 Comments

+1: That is very interesting to know. Does this work on IIS though?
@Willium_Niu: Yes, you can, according to this article. I do not have any experience on IIS to share, but looks even simpler than the one for apache (should be, as NTLM comes from Microsoft ;) ).
2

If this is Windows Authentication, then the response won't be prompting the client for credentials, the browser will be attempting to pass the credentials itself already. It does not quite work the way HTTP does -- you actually need to configure the browser itself to to have it send the authorization based on Windows credentials.

It does not appear that there is a simple JS solution to this at all.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.