Strange Digest Authentication behaviour

From: Stephen McNabb (smcnabb@vision_hatespam.com)
Date: 01/23/03


From: "Stephen McNabb" <smcnabb@vision_hatespam.com>
Date: Thu, 23 Jan 2003 12:04:30 -0000

Hi,

We have a VB6 front end client talking to a VB6 COM+ midtier using SOAP (MS
Soap Toolkit 3). The IIS web server on the midtier is setup to use Digest
Authentication to provide the security we need. Everything is working as it
should except we have noticed a strange behaviour in the system running in
our client's live environment - every single request to the server is
getting a 401 Access Denied message and having to re-authenticate.

My understanding of how digest authentication works is:

- First request to server is given 401 Access Denied message with nonce
attached in headers
- Client resends with username, password and nonce it receives, and server
authenticates user and caches information
- Every subsequent request is sent with username, password and nonce and no
re-authentication is required because server uses cached information

This is the behaviour we are seeing in our test and development environments
but in our live environment, with the same mid-tier and client versions of
the application, we see every request having to go through the
401/authentication process. As you can imagine this is affecting system
performance and bandwidth usage.

Does anyone have an idea of where we should start looking to see why each
request needs to be authenticated? I'm assuming it's a web server
configuration issue but I have checked the basic security setup and it all
looks ok. If you have seen behaviour like this before then please let me
know.

Thanks

Steve



Relevant Pages

  • [REVS] NTLM HTTP Authentication is Insecure By Design
    ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ...
    (Securiteam)
  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Access Denied to share with anonymous access disabled
    ... > Integrated Windows authentication, then you are looking at the classic ... > server, why should the server automatically be able to use your ... > ASPNet local user account full access to the share. ... > anonymous access with integrated windows security on the web site. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging
    ... >> Further to Greg's comments about this Encode Security Labs ... >> NTLM for authentication, ... > NTLM is a unilateral authentication protocol where the server ...
    (NT-Bugtraq)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)