How to stop Basic (browser) authentication to authenticate with our local AD

Christiaan Neijens 26 Reputation points
2021-03-16T12:13:35.56+00:00

We use an externally hosted browser-based application called Exact which uses the basic authentication popup in the browser to authenticate. So old school.

As the username, we should be using HOSTING\12345678 but as it turns out our company email address also allows us to login.

Now the issue, when we login with our company email address, the basic authentication authenticates with our local Active Directory and not with the hosted application. (The previous IT guy has setup the same internal domain DNS name as the external DNS, while good practise should be to add .local or something else)

Even worse, if the password is the same for the application as for the AD account there is no actual problem, but if the passwords are different the account gets locked almost immediatly. Company policy locks the account after 10 failed password enteries.

Now the question, how can i stop or kill the basic authentication request in our local ADC?

thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,211 questions
0 comments No comments
{count} votes

Accepted answer
  1. MotoX80 32,736 Reputation points
    2021-03-17T12:30:35.56+00:00

    it is hosted externally by another company. we have no idea if it's build on IIS.

    There is nothing that you can do on the client side to change how the web site authenticates users.

    i would like to block the authentication request that goes to our local AD.

    You could review the firewall rules to determine which rule allows that IP address to access the domain controller and then block it. But whoever set this up must have had a requirement for AD authentication, so if you block it, you will likely break something. I don't recommend doing that.

    This isn't something that forum users can help you with. You really need to talk to whomever provides technical support for the site/app/server.

    I would call/email the hosting support team and report the account lockout problem and ask them to investigate and fix.

    1 person found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. MotoX80 32,736 Reputation points
    2021-03-16T21:48:10.867+00:00

    Are you sure that that you are using "Basic authentication"? That is configured in IIS.

    78482-capture.jpg

    Using MS Edge, it looks like this.

    78462-capture1.jpg

    And if the user hits cancel they get a HTTP 401.2 error.

    78423-capture2.jpg

    Is that what you see? Using basic authentication, the end user can enter a local (to the web server) userid or domainname\userid.

    The primary alternative is to enable IIS integrated authentication.

    https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/

    Based on your comments, I don't think that you are using "real basic authentication", but instead you are likely getting a popup generated by the application that asks the user for an id and password. If this Exact application is a purchased product, then there would likely be some configuration setting somewhere that controls how the software authenticates the user. In that case you would need to contact the vendor's support team for help in changing the configuration.

    0 comments No comments

  2. Christiaan Neijens 26 Reputation points
    2021-03-17T08:07:21.277+00:00

    Indeed this is a purchased product and it is hosted externally by another company. we have no idea if it's build on IIS.
    and yes we are getting the same popup generated by the application which asks for username and password. i assume this is basic authentication like in your example..

    but the thing is, that when i enter the credentials given by the application, there is no problem.
    the issue starts when i enter my company credentials e.g first.lastname@mycompany.com

    this causes the authentication request to go to our local active directory server and not to the application.
    the reason why this authentication request goes to our local ADC is because the @mycompany.com is also configurred as the internal windows domain.

    i'll try to clearify even further:
    lets's say i visit the application and enter the credentials supplied by the application when my account was created, HOSTING\12345678, the authentiation request goes to the application and i can access it. which is what we want.
    but if i enter firstname.lastname@mydomain.com, the authentication request goes to our local ADC. if the credentials entered are correct, i also get access, because i'm authenticated. but this is not what we want. because my username and password do not match the credentials supplied by the application.
    As a result i get locked out of our own local AD.

    i would like to block the authentication request that goes to our local AD.
    the request in the event logs are; 10 bad password attempts (event ID 4771, error code 0x18) and afterwards the lockout (event id 4740).
    there is an ip adres of the application hosting in the event logs, is there a way to reroute this ip adres back to the application?

    thanks

    0 comments No comments

  3. Christiaan Neijens 26 Reputation points
    2021-03-17T16:11:04.417+00:00

    Thanks @MotoX80

    i've contacted the supplier, but they have sollution or no otherway of authenticating at this moment ...
    (no multi-factor, no federation, no nothing, can you believe this?)

    they are looking into a doing a pilot project to implement this ...

    any way thanks again.

    0 comments No comments