Re: Strange Digest Authentication behaviour

From: Roger Willcocks (RogerW@l-space-design.com)
Date: 01/27/03


From: "Roger Willcocks" <RogerW@l-space-design.com>
Date: Mon, 27 Jan 2003 23:51:31 +1300

Have you checked the keep alive
and proxy settings?

--
Roger Willcocks
Software Engineer
L-Space Design
http://www.l-space-design.com/
rogerw@l-space-design.com
"Putting your experience to work"
"Stephen McNabb" <smcnabb@vision_hatespam.com> wrote in message
news:xCdY9.3$qH4.4469@newsfep2-win.server.ntli.net...
> If I look at a HTTP trace of our system in out test environment I see the
> following behaviour:
>
> 1st Request
> - request posted to server
> - gets 401 back from server
> - request resent to server with digest info and nonce etc.
> - gets back 100 Continue from server and expected response
>
> Each subsequent request
> - requested posted to server with digest info and nonce etc.
> - gets back 100 Continue from server and expected response
>
> Which is the way I expect Digest Authentication to work from reading the
RFC
> and docs in the MSDN site.
>
> However in our live environment we get the following behaviour:
>
> 1st Request
> - request posted to server
> - gets 401 back from server
> - request resent to server with digest info and nonce etc.
> - gets back 100 Continue from server and expected response
>
> Each subsequent request
> - request posted to server
> - gets 401 back from server
> - request resent to server with digest info and new nonce etc.
> - gets back 100 Continue from server and expected response
>
> Which is not the way I understand digest authentication should work i.e.
an
> authentication session should be maintained after the initial
> challenge/response.
>
> Am I misunderstanding how Digest Authentication works? If not then does
> anyone have any ideas why our live environment is behaving differently? If
> it's any help we have setup our SOAP Toolkit 3 to use WinInet.
>
> Thanks for any help
>
> Steve
>
>
>
>
> "Roger Wolter[MSFT]" <rwolteronline@microsoft.com> wrote in message
> news:upfMgv1wCHA.1900@TK2MSFTNGP11...
> > That's the way the http stack does authentication.  After the first
> request
> > the server sends an error with the kind of authentication it requires.
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Stephen McNabb" <smcnabb@vision_hatespam.com> wrote in message
> > news:1TQX9.4293$Lm4.784636@newsfep2-win.server.ntli.net...
> > > Hi,
> > >
> > > We have a VB6 front end client talking to a VB6 COM+ midtier using
SOAP
> > (MS
> > > Soap Toolkit 3). The IIS web server on the midtier is setup to use
> Digest
> > > Authentication to provide the security we need. Everything is working
as
> > it
> > > should except we have noticed a strange behaviour in the system
running
> in
> > > our client's live environment - every single request to the server is
> > > getting a 401 Access Denied message and having to re-authenticate.
> > >
> > > My understanding of how digest authentication works is:
> > >
> > > - First request to server is given 401 Access Denied message with
nonce
> > > attached in headers
> > > - Client resends with username, password and nonce it receives, and
> server
> > > authenticates user and caches information
> > > - Every subsequent request is sent with username, password and nonce
and
> > no
> > > re-authentication is required because server uses cached information
> > >
> > > This is the behaviour we are seeing in our test and development
> > environments
> > > but in our live environment, with the same mid-tier and client
versions
> of
> > > the application, we see every request having to go through the
> > > 401/authentication process. As you can imagine this is affecting
system
> > > performance and bandwidth usage.
> > >
> > > Does anyone have an idea of where we should start looking to see why
> each
> > > request needs to be authenticated? I'm assuming it's a web server
> > > configuration issue but I have checked the basic security setup and it
> all
> > > looks ok. If you have seen behaviour like this before then please let
me
> > > know.
> > >
> > > Thanks
> > >
> > > Steve
> > >
> > >
> > >
> >
> >
>
>


Relevant Pages

  • [REVS] NTLM HTTP Authentication is Insecure By Design
    ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ...
    (Securiteam)
  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Strange Digest Authentication behaviour
    ... That's the way the http stack does authentication. ... After the first request ... The IIS web server on the midtier is setup to use Digest ... > - First request to server is given 401 Access Denied message with nonce ...
    (microsoft.public.inetserver.iis.security)
  • Re: Digest Authentication - IIS6
    ... I am fighting with a web site to setting up to use Digest ... If I setup the website with Basic authentication works fine (for the ... It happen on a Windows 2003 Server R2, IIS6, Application Pool was ... Your english is better then most people who were born in the US:) ...
    (microsoft.public.inetserver.iis.security)
  • Re: Wireless Radius Clients
    ... forwards requests to the Authentication Server? ... router and not a AP however it does have the Radius selection under ... Access request for user stevef@xxxxxxxxxxxxx was discarded. ...
    (microsoft.public.windows.server.networking)