Windows credentials being cached by userRSS

4 replies

Last post Sep 16, 2020 08:25 PM by alex125

  • Windows credentials being cached by user

    Sep 11, 2020 02:00 PM|alex125|LINK

    Hi there,

    I'm hosting a form on IIS that requires windows authentication to log in. This works completely fine, however, when the user logs in for the first time their device caches their credentials so that when they next load the page they're taken straight to the form and they do not have to log in again. Since my form gives the user to certain confidential data I want to make sure the user has to log in on every page load.

    The only way currently I've been able to make the form request credentials again is by clearing the cache manually on the device itself.

    Is there any way to prevent credential caching or making the user log in every time via IIS?

    Headers like cache-control do nothing because these are loaded after the user logs in and credentials are cached. (identity impersonate is already set to false)

    Thanks, Alex.

  • Re: Windows credentials being cached by user

    Sep 14, 2020 05:45 AM|Jalpa Panchal|LINK

    Hi,

    Windows by default are set up to use automatic logins. all the chromium-based browsers use this setting to automatically try and authenticate the current Windows User when an NTLM or Negotiate 401 request is received logging you in with your current Windows or AD account.

    You can change this behavior and explicitly force Windows to always authenticate instead by using the Internet Settings from the taskbar, then digging into the Local Intranet → Custom Level. At the bottom of the list you'll find an option to specify how Windows logins are handled:

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Windows credentials being cached by user

    Sep 14, 2020 08:35 AM|alex125|LINK

    Hi Jalpa,

    Thanks for the reply. It was my mistake for not pointing out what device this application will be used on. It will be mostly used on mobile devices (with the majority being iPhones). Is there any way to do this for Safari / not using local intranet? The form will be accessible from outside our local network.

  • Re: Windows credentials being cached by user

    Sep 16, 2020 09:06 AM|Jalpa Panchal|LINK

    Hi,

    First, make sure that the windows authentication is working on the ios or not. you could use the iis http response header to clear client cache.

    https://docs.microsoft.com/en-us/iis/configuration/system.webserver/staticcontent/clientcache

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Windows credentials being cached by user

    Sep 16, 2020 08:25 PM|alex125|LINK

    Hi Jalpa,

    Yep windows authentication is working fine on IOS. There is a prompt for username and password then takes the user to the site when a correct domain login is entered.

    Unfortunately setting "Expire Web content" causes an infinite load loop to occur on the form.

    Also trying to set clientCache in web.config just produces a 500 error.