Re: Windows Authentication and Anonymous login URGENT

From: Michal A. Valasek (news_at_altaircom.net)
Date: 07/26/03 

Date: Sat, 26 Jul 2003 00:11:28 +0200

Hello,

| thanks for your prompt replay I really need to figure
| something out. My problem is that I am doign what you are
| saying which is to check if the user is authenticated
| (via the Request.IsAuthenticated) and have the
| default.aspx to be accessible for both authenticated and
| anonymous. The problem is that once you set anonymous
| users then the Request.IsAuthenticated is allways false.
| This is crazy. If I am inside the intranet then the
| Request.IsAuthenticated should be true and then from
| outside using anonymous login it should say yes. Right????
| This is just what I want to know.

oh, I forgot that you're using the Windows, not Forms authentication. When
authenticated using Forms Authentication, data are stored in cookie, which
is sent with every request to given server, regardless if the server cares
about it.

In Windows authentication, the process if that server gives authentication
challenge, when requests one. Therefore, if anonymous access is enabled, all
users are anonymous, because server does not send the challenge.

Only solution I know is to make the Default page only for authenticated
users. Then try to catch the unauthorized state (probably as custom error
handler for HTTP error 401 or 403). You can get URL of requested page and if
it's /Default.aspx, redirect anonymous user somewhere. 

-- 
Michal A. Valasek, Altair Communications, http://www.altaircom.net
Please do not reply to this e-mail, for contact see http://www.rider.cz

Relevant Pages

  • [REVS] NTLM HTTP Authentication is Insecure By Design
    ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ...
    (Securiteam)
  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Strange Digest Authentication behaviour
    ... That's the way the http stack does authentication. ... After the first request ... The IIS web server on the midtier is setup to use Digest ... > - First request to server is given 401 Access Denied message with nonce ...
    (microsoft.public.inetserver.iis.security)
  • Re: Wireless Radius Clients
    ... forwards requests to the Authentication Server? ... router and not a AP however it does have the Radius selection under ... Access request for user stevef@xxxxxxxxxxxxx was discarded. ...
    (microsoft.public.windows.server.networking)
  • Re: Is NTLM Authentication very expensive? (for bandwidth)
    ... request cause it has to do the challenge response, ... >> permissions and just using Integrated Authentication ... >> the server twice every time, once as anymous and once as ... because there are in total 57 failed anymous HTTP ...
    (microsoft.public.inetserver.iis.security)