IIS 7 and Above
Windows credentials being cached by user
Last post Sep 16, 2020 08:25 PM by alex125
Sep 11, 2020 02:00 PM|alex125|LINK
I'm hosting a form on IIS that requires windows authentication to log in. This works completely fine, however, when the user logs in for the first time their device caches their credentials so that when they next load the page they're taken straight to the
form and they do not have to log in again. Since my form gives the user to certain confidential data I want to make sure the user has to log in on every page load.
The only way currently I've been able to make the form request credentials again is by clearing the cache manually on the device itself.
Is there any way to prevent credential caching or making the user log in every time via IIS?
Headers like cache-control do nothing because these are loaded after the user logs in and credentials are cached. (identity impersonate is already set to false)
Sep 14, 2020 05:45 AM|Jalpa Panchal|LINK
Windows by default are set up to use automatic logins. all the chromium-based browsers use this setting to automatically try and authenticate the current Windows User when an NTLM or Negotiate 401 request is received logging you in with your current Windows
or AD account.
You can change this behavior and explicitly force Windows to always authenticate instead by using the Internet Settings from the taskbar, then digging into the Local Intranet → Custom Level. At the bottom of the list you'll find an option to specify how
Windows logins are handled:
Sep 14, 2020 08:35 AM|alex125|LINK
Thanks for the reply. It was my mistake for not pointing out what device this application will be used on. It will be mostly used on mobile devices (with the majority being iPhones). Is there any way to do this for Safari / not using local intranet? The
form will be accessible from outside our local network.
Sep 16, 2020 09:06 AM|Jalpa Panchal|LINK
First, make sure that the windows authentication is working on the ios or not. you could use the iis http response header to clear client cache.
Sep 16, 2020 08:25 PM|alex125|LINK
Yep windows authentication is working fine on IOS. There is a prompt for username and password then takes the user to the site when a correct domain login is entered.
Unfortunately setting "Expire Web content" causes an infinite load loop to occur on the form.
Also trying to set clientCache in web.config just produces a 500 error.