We have our intranet website running on IIS 6.0 using SSL. On our application
side, we have some code that goes to the
\\Servername\DirectoryName\myFile.pdf and grabs the file for the user. Now
the problem is with SSL. Everytime some user click on the link, they get
Internet Explorer security message: You are about to leave the secure
internet connection. It will be possible for others to view the information.

Any idea\tips\tricks that we can find a work around on this other than
requesting users to check the box that says, In future, do not show this
warning?

Help!!!

SK

You would probably have better luck in an IIS group, but here it goes
anyway...

Have you considered making the PDF file accessible via the site so that it
can be fetched via an HTTPS address? If you're dealing with a small number
of fairly static files, copying the files to your site might be the best
approach. If there are a large number of files to be referenced and/or they
change often, you might want to consider setting up a virtual directory in
your web application to point through to a share on the other server. This
should allow you to create links that point to the virtual directory over
HTTPS, avoiding the client-side problem entirely. If you decide to go this
route, you should take a look at http://support.microsoft.com/kb/280383 for
some of the potential gotchas.

HTH,
Nicole


"SK" <SK (AT) discussions (DOT) microsoft.com> wrote

Nicole,
We already have a virtual directory pointing to the file server. We are
using that for handful of users outside the LAN area. As 90% of users are
going to be inside of LAN, the idea was to avoid network traffic using vir
dir for users who are in LAN. But thanks for your response anyway.
I will try in IIS group then.
Thanks

SK
"Nicole Calinoiu" wrote:

Think of what would be possible if you could do this:

I create a website that requests that a user create a login. Their user
name and password are entered on an SSL site, but then on the next page I
redirect them to a site that's not accessable via HTTPS. Additionally my
site also programatically disables that dialog box. Now, the user is
entering personal information, thinking that it's safe, when in fact it
isn't.

Granted the above is a pretty strange scenario, but the point is the same.
If you could do this, it would be an enormous security hole in the browser.

-Shawn
http://blogs.msdn.com/shawnfa
--
This posting is provided "AS IS" with no warranties, and confers no rights.


Note:
For the benefit of the community-at-large, all responses to this message
are best directed to the newsgroup/thread from which they originated.
--------------------

The example doesn't need to be that complex. Redirecting to within the same
site to force HTTP can cause a problem if the user continues to submit
sensitive information. Redirecting to another site is potentially a problem
regardless of whether HTTP or HTTPS, particularly if the user doesn't notice
the change and continues to behave as if he were interacting with the
original site.



""Shawn Farkas [MS]"" <shawnfa (AT) online (DOT) microsoft.com> wrote

Yep -- in general those prompts are there for a reason, and allowing the
website owner to disable them would make them useless and open up holes.
Granted the example was pretty bad, my creativity skills failed me while
typing up the response :-)

-Shawn
http://blogs.msdn.com/shawnfa
--
This posting is provided "AS IS" with no warranties, and confers no rights.


Note:
For the benefit of the community-at-large, all responses to this message
are best directed to the newsgroup/thread from which they originated.
--------------------
4.phx.gbl