RE: integrated authentication failing from remote site
From: Lisa Cozzens [MSFT] (lcozzens@online.microsoft.com)
Date: 01/07/03
- Next message: Yann: "Error certificat renewal"
- Previous message: Chris Crowe [IIS MVP]: "Re: HTTP Page evc.html not found 404 error DNS"
- In reply to: Bruce Rhodewalt: "RE: integrated authentication failing from remote site"
- Next in thread: Bruce Rhodewalt: "RE: integrated authentication failing from remote site"
- Reply: Bruce Rhodewalt: "RE: integrated authentication failing from remote site"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: lcozzens@online.microsoft.com (Lisa Cozzens [MSFT]) Date: Tue, 07 Jan 2003 17:54:17 GMT
Hi Bruce,
Here's another good article on authentication in IIS:
Q264921 INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q264921
To help you make a little more sense of the Netmon traces, here is what you
should see in a "normal" Integrated Windows authentication session:
1. Client port x -> Server port 80: GET request, no auth information
2. Server port 80 -> Client port x: 401.2 error. Connection: close.
3. Client port y (NOTE CHANGE OF PORT) -> Server port 80: GET request.
Authorization: NTLM (followed by junk). Connection: Keep-Alive.
4. Server port 80 -> Client port y: 401.1 error. WWW-Authenticate: NTLM
(followed by junk).
5. Client port y -> Server port 80: GET request. Authorization: NTLM
(followed by junk). Connection: Keep-Alive.
6. Server port 80 -> Client port y: 200 OK
The following differences in the above sequence of events might indicate
proxy server interference:
1. Steps 1-4 are identical to above, but in step 5, the request from the
client comes from yet another port, instead of over the same ports as steps
3 and 4.
2. In a server-side trace, no Connection: Keep-Alive header from the client
in steps 3 or 5.
3. In a server-side trace, no authentication information received from the
client in steps 3 or 5.
4. In a client-side trace, no WWW-Authenticate: NTLM header received in
step 4.
Unfortunately, if third-party proxy servers are indeed interfering and
causing the problem, you don't have any choice but to use Basic
authentication. Integrated Windows Authentication was designed for an
intranet environment, where there are no proxy servers/firewalls, or at
least no proxy servers/firewalls that are not under your control. It works
great in that environment, but it doesn't work so well over the Internet.
Besides the proxy/firewall issue, you can also see that Integrated auth
requires three roundtrips *at a minimum* (it could be up to five) between
the server and the client, compared to one for anonymous authentication and
two for Basic.
What are your concerns about using Basic authentication in a production
environment? Are you concerned about password sniffing? If so, you can
always secure the site with SSL (as you're already planning to do). You
could also switch to digest authentication, which does *not* send the
password over the wire in (almost-)clear text like Basic does:
Q222028 Setting Up Digest Authentication for Use with Internet Information
Services 5.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q222028
Hope this helps,
Lisa
--------------------
> From: Bruce Rhodewalt <bruce@rhodewalt.com>
> References: <LQ#ZzbatCHA.1340@cpmsftngxa09>
> X-Newsreader: AspNNTP 1.50 (ActionJackson.com)
> Subject: RE: integrated authentication failing from remote site
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Message-ID: <#4kNOsetCHA.2640@TK2MSFTNGP11>
> Newsgroups: microsoft.public.inetserver.iis.security
> Date: Mon, 06 Jan 2003 17:21:06 -0800
> NNTP-Posting-Host: actionjackson37.dsl.frii.net 216.17.146.37
> Lines: 1
> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP11
> Xref: cpmsftngxa09 microsoft.public.inetserver.iis.security:14182
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> Thanks to you all for your suggestions. I have confirmed that Basic
> authentication works. I have also used Netmon to compare the
> transactions that occur during a session which correctly authenticates
> (using IWA) and one which merely delivers an error to the user. The
> difference is dramatic. I'll see what I can learn from that.
>
> If it turns out that various proxy servers (some of which belong to ISPs
> and so are completely outside of my control) are to blame, what are my
> options? We can control the client, requiring MSIE 5.01 at least. We
> do not want to configure each client beyond requiring a minimum version.
> We will be going to SSL on the server eventually.
>
> I do not want to leave Basic authentication in a production environment.
> Thanks for any suggestions.
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!
>
-----
Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.
© 2002 Microsoft Corporation. All rights reserved.
- Next message: Yann: "Error certificat renewal"
- Previous message: Chris Crowe [IIS MVP]: "Re: HTTP Page evc.html not found 404 error DNS"
- In reply to: Bruce Rhodewalt: "RE: integrated authentication failing from remote site"
- Next in thread: Bruce Rhodewalt: "RE: integrated authentication failing from remote site"
- Reply: Bruce Rhodewalt: "RE: integrated authentication failing from remote site"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
