RE: IIS 5.0 and Netscape Authentication

From: James MacKinnon (jmackinnon@crossoff.com)
Date: 05/22/02 

Date: Wed, 22 May 2002 15:35:42 -0300
From: "James MacKinnon" <jmackinnon@crossoff.com>
To: "G Man" <gmansyscon@hotmail.com>, <focus-ms@securityfocus.com>

don't use integrated security. Try basic security as netscape does not
support integrated security and will keep failing on this.

james

-----Original Message-----
From: G Man [mailto:gmansyscon@hotmail.com]
Sent: Tuesday, May 21, 2002 6:55 PM
To: focus-ms@securityfocus.com
Subject: IIS 5.0 and Netscape Authentication

Hello,

I am analyzing a test setup in a lab and was wondering if anybody else had
come across this problem. If anybody has a solution to this problem I would
really appreciate it. The problem exists with directory security of folders
under IIS 5.0 in a Windows 2000 Active Directory. This is not an exploit
but more to as a possible bug perhaps in the Active Directory design and
implemenation? Currently I do not know and would like to see if anybody can
replicate or atleast point me into the right direction for a solution for
this. Here is my problem and the steps that I have done to create this
problem.

Required:

Win2k Server running Active Directory and IIS 5.0
Netscape 4.x and IE 5.x running on a client or local to the server.

Method:

1. Create Directory in Winexplorer that you wish to use as the root of this
test website. Inside this directory place an index.htm file and another
directory called "test". Copy the index.htm file inside of the "test"
directory also.

Should look something like this if you had a tree picture:

c:\Inetpub\testwebsite\index.htm
c:\Inetpub\testwebsite\test
c:\Inetpub\testwebsite\test\index.htm

2. Under active directory, create a user under the USERS group named "test"
with password "test".

2. Now under IIS Manager create a website that that uses the "testwebsite"
directory as it's root. Start the Website.

3. Using IE and Netscape surf to your newly created website and see if you
can view the file index.htm. (We have not set any permissions and everyone
should be able to see this file.)

4. Again now surf to the newly created website and see if you can view the
file under the subdirectory "test". Again we have not changed any
permissions yet and everyone should be able to see this file in Netscape and
IE.

5. Now under IIS Manager open your new website and select the directory we
created called "test" and select properties. Disable Annonymous access for
this directory. Hit Ok a few times and apply this permission setting. Now
you should not be able to surf to the "test" directory of our new website
without being prompted for a Login and password.

6. With IE use the "test" account that we used and enter the login
information. You should be passed through to the webpage that we placed
into this directory, as the NTFS permission is set to everyone and the
"test" user account is a valid user account and authentication is complete.

7. Now with Netscape, try the exact same thing. On our test system, we get
an authentication failure with Netscape using the "test" Group USERS
account. However if we use an Administrator login and password when prompted
we are passed through and authentication is complete.

We have tested this and searched the MS knowledgebase and found some things
that refer to adding the "test" account to the "Log On Locally" Security
policy. We have tried this and this was unsucessful too.
Is this a bug in Active Directory or IIS?

Btw this test lab system is Win2k with SP2 and all patches to IIS
implemented. No Frontpage extensions have been activated.

If anyone could give us some insight on what is wrong and why Netscape
simply will not authenticate using a USER Group account yet pass through
with an Administrator and IE has no problems using the USER account we would
really appreciate it.

Thanks,

G. Man

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Authentication Problem - Help
    ... I just had similar - and I strongly suspect it's NT security. ... > implies impersonate the LOGON user specified by IIS ... > expired process is shutdown and a new process is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cannot Default Domain?
    ... API is not using the server's domain in its operations. ... > of the authentication protocol you use and is outside of IIS control. ... IIS calls security API calls which understand the blob and does its ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS file system writes across domains
    ... the process should be running under the context of the IIS ... Have the remote server turn on file auditing and check the security event ... > Integrated Windows Authentication which in my opinion means that the ...
    (microsoft.public.inetserver.iis.security)
  • Re: can someone explain this weird behaviour?
    ... IIS to also authenticate with another protocol before even allowing ... authentication scheme seems confusing, and I agree -- and that is why ... The "Dir Security" property you change is one of the ... But for the same asp.net application with the same login control etc.. ...
    (microsoft.public.inetserver.iis.security)