Let's see if I can assist here. First of all, let's start from considering the desktop browser and the webserver.
IIS is configured for "windows authentication" and http: This limits your browser support to IE. If you try to access the site with firefox, or any other browser that is not native to windows, 'windows authentication' cannot be supported.
From what I understand in this configuration, the credentials are encoded - NOT encrypted. So, if one were to access your intranet and intercept the packets, your windows credentials could be compromised. Though, I don't think it could be done as easily with 'basic authentication' configured. If I recall correctly, the credentials are not in the HTTP header with the IIS server configured this way.
IIS is configured for "basic authenticaion" and http: This will allow support for the blackberry browser and firefox.
There's a plugin for firefox called live headers. The credentials are in the HTTP headers and one can actually see the credentials being passed in encoded format.
So in either circumstance, your credentials are exposed because they're not encrypted. As a general practice, our (government - read: goes to ridiculous lengths to secure things...) organization states that if a website requires authentication ( whether it be 'basic' or 'windows' ), HTTPS (SSL) is mandatory. As such, we configure our IIS servers to be 'basic' authentication configured with HTTPS so that other browsers like firefox, blackberry browser, safari, etc ... can authenticate with the site.
Now - let's talk about the blackberry browser accessing your intranet sites. I don't think they're currently working because 'windows authentication' is turned on. If you turned on basic authentication, you should be prompted for your domain credentials and get access to the site.
I'm running an internal mobile version of a website for our organization that requires authentication and basic authentication with HTTPS is working without any problems. Support HTTP Authentication is turned off. Though, I've recently been investigating what exactly this setting does. From what I understand, if this setting is turned off, then the blackberry device authenticates with the IIS server directly. If it's turned on then the MDS service will authenticate on behalf of the device.
The Administration guide states the followin when configuring the "Support Http Authentication" setting:
If you want BlackBerry devices to authenticate with content servers directly, click False.
If you want the BlackBerry MDS Connection Service to store authentication information and perform HTTP
authentication on behalf of BlackBerry devices, click True.
To answer your question directly, I don't think enabling "Support HTTP Authentication" would expose any additional security risk. But, my guess is changing this setting to 'true' will not ultimately solve your problem.
I'm investigating this setting because my hope is to turn on single sign on for the BlackBerry browser. I would like the blackberry users to visit my site without having to type in their domain credentials more than once. I have not tested this yet, but am hoping to this week.
Hope this helps ...
Last edited by kjarrodc : 07-13-2008 at 02:42 PM.