Re: Strange Digest Authentication behaviour

From: Roger Willcocks (RogerW@l-space-design.com)
Date: 01/27/03


From: "Roger Willcocks" <RogerW@l-space-design.com>
Date: Mon, 27 Jan 2003 23:51:31 +1300

Have you checked the keep alive
and proxy settings?

--
Roger Willcocks
Software Engineer
L-Space Design
http://www.l-space-design.com/
rogerw@l-space-design.com
"Putting your experience to work"
"Stephen McNabb" <smcnabb@vision_hatespam.com> wrote in message
news:xCdY9.3$qH4.4469@newsfep2-win.server.ntli.net...
> If I look at a HTTP trace of our system in out test environment I see the
> following behaviour:
>
> 1st Request
> - request posted to server
> - gets 401 back from server
> - request resent to server with digest info and nonce etc.
> - gets back 100 Continue from server and expected response
>
> Each subsequent request
> - requested posted to server with digest info and nonce etc.
> - gets back 100 Continue from server and expected response
>
> Which is the way I expect Digest Authentication to work from reading the
RFC
> and docs in the MSDN site.
>
> However in our live environment we get the following behaviour:
>
> 1st Request
> - request posted to server
> - gets 401 back from server
> - request resent to server with digest info and nonce etc.
> - gets back 100 Continue from server and expected response
>
> Each subsequent request
> - request posted to server
> - gets 401 back from server
> - request resent to server with digest info and new nonce etc.
> - gets back 100 Continue from server and expected response
>
> Which is not the way I understand digest authentication should work i.e.
an
> authentication session should be maintained after the initial
> challenge/response.
>
> Am I misunderstanding how Digest Authentication works? If not then does
> anyone have any ideas why our live environment is behaving differently? If
> it's any help we have setup our SOAP Toolkit 3 to use WinInet.
>
> Thanks for any help
>
> Steve
>
>
>
>
> "Roger Wolter[MSFT]" <rwolteronline@microsoft.com> wrote in message
> news:upfMgv1wCHA.1900@TK2MSFTNGP11...
> > That's the way the http stack does authentication.  After the first
> request
> > the server sends an error with the kind of authentication it requires.
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Stephen McNabb" <smcnabb@vision_hatespam.com> wrote in message
> > news:1TQX9.4293$Lm4.784636@newsfep2-win.server.ntli.net...
> > > Hi,
> > >
> > > We have a VB6 front end client talking to a VB6 COM+ midtier using
SOAP
> > (MS
> > > Soap Toolkit 3). The IIS web server on the midtier is setup to use
> Digest
> > > Authentication to provide the security we need. Everything is working
as
> > it
> > > should except we have noticed a strange behaviour in the system
running
> in
> > > our client's live environment - every single request to the server is
> > > getting a 401 Access Denied message and having to re-authenticate.
> > >
> > > My understanding of how digest authentication works is:
> > >
> > > - First request to server is given 401 Access Denied message with
nonce
> > > attached in headers
> > > - Client resends with username, password and nonce it receives, and
> server
> > > authenticates user and caches information
> > > - Every subsequent request is sent with username, password and nonce
and
> > no
> > > re-authentication is required because server uses cached information
> > >
> > > This is the behaviour we are seeing in our test and development
> > environments
> > > but in our live environment, with the same mid-tier and client
versions
> of
> > > the application, we see every request having to go through the
> > > 401/authentication process. As you can imagine this is affecting
system
> > > performance and bandwidth usage.
> > >
> > > Does anyone have an idea of where we should start looking to see why
> each
> > > request needs to be authenticated? I'm assuming it's a web server
> > > configuration issue but I have checked the basic security setup and it
> all
> > > looks ok. If you have seen behaviour like this before then please let
me
> > > know.
> > >
> > > Thanks
> > >
> > > Steve
> > >
> > >
> > >
> >
> >
>
>