I have an intranet web site using windows authentication. There are no restrictions on the home page. Anyone with an AD account can navigate to it. For other restricted pages in the site, there is a list of users with allowed authorization, everyone else is denied authorization.
Here is the problem. People use account User A for some 3rd party software related to the intranet web site. User A is not on the list of users with allowed authorization for the restricted pages. User A navigates to the web site, then to a restricted page. User A is asked for credentials to get to the restricted page. User A gives User B's name and password to get to the restricted pages. Parenthetically, the person logged on as User A is really User B. Some time later, User C logs on as User A. When User C (as User A) navigates to a restricted page, the web site has retained User B's credentials. This time, User A is not asked for credentials, the site assumes User B is still accessing the pages.
How can I make the site request new credentials anytime someone not on the list of users with allowed authorization for the restricted pages tries to navigate to a restricted page? According to IIS Manager, the session timeout for the web site is 20 minutes. The web site retains that first set of credentials for days.
Bill