Re: Web application security problem

By security event log, I do mean the same security event log that you see
along with the application and system event logs in the eventvwr mmc.

If the problem here is with a simple redirection, I would try to focus on
the authentication that occurs when the browser accesses WAB. Check the
security event log to see if you see a login event for the user. I also
like to use a tool like IEHttpHeaders to view the request and response
headers sent and received by the browser to see if I can see what happened
there. With IWA or basic auth, you will typically see some combination of
401 reponses with WWW-Authenticate response headers and GET requests with
Authorization headers. Those contain all of the authentication
challenge/response data.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"<M>" <m_dinnis@xxxxxxxxxxx> wrote in message
news:7d3129df-998a-4d87-ac7b-e6e73ed87289@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Joe,

Thanks for responding.

When you say it is helpful to look at the security log, is that the
same security log available from the management console along with the
application log, etc.?

I've been through the IIS logs and they are helpful to a degree but I
think (hope) that they are showing the Network Service account as
anonymous. They also show multiple calls to the same page which is
confusing.

The redirection is a straight forward response.redirect satement from
WAA to WAB. The aim is that the user has found some information in WAA
and wants to know more but the additional info is beyond the scope of
WAA. Like a link on a web site to another web site.

Regards,

<M>


.

Quantcast