Re: IIS Authentication Methods

From: Stephen L Nicoud (nicouds@hotmail.com)
Date: 03/13/03 

From: "Stephen L Nicoud" <nicouds@hotmail.com>
Date: Thu, 13 Mar 2003 06:30:08 -0500

I understand that is what is supposed to happen, but, as I said below, one user has reported that the version of Netscape he was using did not behave this way. Do you know that Netscape behaves correctly from personal experience in testing Netscape and observing the network traffic or are you just assuming that Netscape behaves correctly?

"Lisa Cozzens [MSFT]" <lcozzens@online.microsoft.com> wrote in message news:abwKw$Q6CHA.2252@cpmsftngxa08.phx.gbl...
> That's not correct. What happens is that the browser first tries to
> authenticate anonymously. IIS of course rejects that request and sends back
> a 401.2 "Login failed due to server configuration." In that response, it
> also sends one or more WWW-Authenticate headers stating which
> authentication mechanisms it supports. The browser selects from that list
> and sends the credentials over using the selected mechanism.
>
> So if you have only Integrated authentication enabled, IIS will *not* send
> a WWW-Authenticate: Basic header. When Netscape receives the list of
> supported authentication mechanisms, it will realize that it doesn't
> support any of them and just return the 401.2 error in the browser to the
> user. Netscape will *not* try to send any authentication information.
>
> Lisa
>
> --------------------
> > From: "Stephen L Nicoud" <nicouds@hotmail.com>
> > References: <00f301c2e804$ce4e8200$a401280a@phx.gbl>
> <0ednGnA6CHA.2312@cpmsftngxa08.phx.gbl>
> > Subject: Re: IIS Authentication Methods
> > Date: Tue, 11 Mar 2003 18:31:18 -0500
> > Lines: 17
> > MIME-Version: 1.0
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: quoted-printable
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> > Message-ID: <ughB84C6CHA.2368@TK2MSFTNGP10.phx.gbl>
> > Newsgroups: microsoft.public.inetserver.iis.security
> > NNTP-Posting-Host: ip68-100-135-136.nv.nv.cox.net 68.100.135.136
> > Path:
> cpmsftngxa08.phx.gbl!cppssbbsa01.microsoft.com!news-out.cwix.com!newsfeed.cw
> ix.com!newsengine.sol.net!newsfeeds.sol.net!newsfeed.news2me.com!border1.nnt
> p.aus1.giganews.com!nntp.giganews.com!sjc70.webusenet.com!news.webusenet.com
> !cyclone.bc.net!msrtrans1!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> > Xref: cpmsftngxa08.phx.gbl microsoft.public.inetserver.iis.security:16284
> > X-Tomcat-NG: microsoft.public.inetserver.iis.security
> >
> > > When you use Netscape to access a site with both authentication methods
> > > enabled, Netscape will use Basic authentication, because it doesn't
> > > understand Integrated authentication.
> > Might be a good time to point out that some time ago one person in the
> newsgroups claimed to do a netmon on the messages between Netscape and IIS
> when on NT Challenge / Response is enabled on the IIS server. He claimed
> that Netscape responded by prompting the user for credentials which, if the
> user provided them, it tried to send back via Basic Authentication. The
> Netscape user is not successful in gaining access, but if true, this would
> mean that if you only employ NTCR (IWA) and if a valid user mistakenly uses
> Netscape and provides credentials to the prompt, the username and password
> will go over the wire in clear text. If one uses SSL regardless of the
> authentication mechanism chosen, then this would not be a problem.
> >
>
> -----
> Please do not send email directly to this alias. This is an online
> account name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers
> no rights. You assume all risk for your use.
>
> © 2003 Microsoft Corporation. All rights reserved.
>

Relevant Pages

  • RE: IIS 5.0 and Netscape Authentication
    ... Try basic security as netscape does not ... IIS 5.0 and Netscape Authentication ...
    (Focus-Microsoft)
  • Re: Cant make a domain user the "anonymous access" user
    ... When dealing with authentication issues it is VERY important to ... Some of the things you claim is not consistent with a default IIS ... If you use a browser that cannot do NTLM, by definition, a 401.2 error is ... user account that works and your domain account that does not. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS Authentication Methods
    ... How IIS Authenticates Browser Clients ... > supported authentication mechanisms, it will realize that it doesn't ... > newsgroups claimed to do a netmon on the messages between Netscape and IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: client gets always every first time for every page a 401
    ... cause the browse will always try anonymous access first. ... How IIS Authenticates Browser Clients ... > I have an issue with the basic authentication from IIS. ...
    (microsoft.public.inetserver.iis.security)
  • RE: logout a browser under integrated security
    ... due to the browser. ... but not server ... >server by using Basic or NTLM authentication, ... >IIS Authenticates Browser Clients" ...
    (microsoft.public.inetserver.iis.security)