Re: Strange Digest Authentication behaviour

From: Roger Wolter[MSFT] (rwolteronline@microsoft.com)
Date: 01/24/03 

From: "Roger Wolter[MSFT]" <rwolteronline@microsoft.com>
Date: Thu, 23 Jan 2003 19:51:45 -0800

That's the way the http stack does authentication. After the first request
the server sends an error with the kind of authentication it requires. 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Stephen McNabb" <smcnabb@vision_hatespam.com> wrote in message
news:1TQX9.4293$Lm4.784636@newsfep2-win.server.ntli.net...
> Hi,
>
> We have a VB6 front end client talking to a VB6 COM+ midtier using SOAP
(MS
> Soap Toolkit 3). The IIS web server on the midtier is setup to use Digest
> Authentication to provide the security we need. Everything is working as
it
> should except we have noticed a strange behaviour in the system running in
> our client's live environment - every single request to the server is
> getting a 401 Access Denied message and having to re-authenticate.
>
> My understanding of how digest authentication works is:
>
> - First request to server is given 401 Access Denied message with nonce
> attached in headers
> - Client resends with username, password and nonce it receives, and server
> authenticates user and caches information
> - Every subsequent request is sent with username, password and nonce and
no
> re-authentication is required because server uses cached information
>
> This is the behaviour we are seeing in our test and development
environments
> but in our live environment, with the same mid-tier and client versions of
> the application, we see every request having to go through the
> 401/authentication process. As you can imagine this is affecting system
> performance and bandwidth usage.
>
> Does anyone have an idea of where we should start looking to see why each
> request needs to be authenticated? I'm assuming it's a web server
> configuration issue but I have checked the basic security setup and it all
> looks ok. If you have seen behaviour like this before then please let me
> know.
>
> Thanks
>
> Steve
>
>
>

Relevant Pages

  • [REVS] NTLM HTTP Authentication is Insecure By Design
    ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ...
    (Securiteam)
  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Wireless Radius Clients
    ... forwards requests to the Authentication Server? ... router and not a AP however it does have the Radius selection under ... Access request for user stevef@xxxxxxxxxxxxx was discarded. ...
    (microsoft.public.windows.server.networking)
  • Re: Is NTLM Authentication very expensive? (for bandwidth)
    ... request cause it has to do the challenge response, ... >> permissions and just using Integrated Authentication ... >> the server twice every time, once as anymous and once as ... because there are in total 57 failed anymous HTTP ...
    (microsoft.public.inetserver.iis.security)
  • Re: Call Wait Loop?
    ... As I understand it the first request fires off the process, ... subsequent requests poll the server for process completion. ... onResult fires when the request is complete. ... - does the first request return any status information? ...
    (microsoft.public.scripting.jscript)