Re: IIS 5.0 Windows Authenticion/NT Challenge Response
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/23/04
- Next message: Daniel Schade \(remove NOSPAM.PLEASE for answer\): "IE did not show my client certificate"
- Previous message: JustMe_at_Home: "Re: How can I read FrontPage Admin/Author/Browse permissions for each subweb?"
- In reply to: John: "IIS 5.0 Windows Authenticion/NT Challenge Response"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: IIS 5.0 Windows Authenticion/NT Challenge Response"
- Reply: anonymous_at_discussions.microsoft.com: "Re: IIS 5.0 Windows Authenticion/NT Challenge Response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Mar 2004 01:16:57 -0800
It looks like the Web Browser machine happens to have sufficient credentials
to auto-login to the web server, which does not have Anonymous enabled. It
only LOOKS like anonymous is allowed access, but that is NOT the case. If
what you say is true, it would be a huge security hole in IIS; but I'm 100%
what you say isn't true, so you just need an explanation.
The easiest way to prove this is to take a Network trace of all traffic
coming into the web server, and you will see whether an anonymous request
succeeds or not. I'm sure you'll see 401.2 being returned for the anonymous
requests (which is good -- anonymous requests are all rejected, as it
should), and then you will see the web browser attempt to auto-login with
NTLM a bunch of times (sequence of 401.2 and 401.1), and upon successful
auto-login, you will see a 200 and successful retrieval of the content.
The network trace will prove what is going on, regardless of all the
automatic stuff that browsers do on your behalf. Or you can use a tool like
WFetch which shows you exactly what is going when you make a given request:
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"John" <anonymous@discussions.microsoft.com> wrote in message
news:1158701c41021$20e91d50$a401280a@phx.gbl...
I have got the "Default Web Site", Another Site created
under the name say "Lotus" for example. This Lotus website
is having a folder called Lotus1 which should be accessed
by people over the Internet through Windows Authentication
method.
I have disabled Anonymous access to this site and have
only enabled Windows Authentication Mode. When, I access
this site internally or externally through the Internet it
still does not ask for a Windows Authentication instead it
goes in directly to the page which we feel is not secure.
I am not sure this is happening in Windows NT 4.0 IIS 4.0
Server as well as Windows 2000 IIS 5.0 server.
This server has 2 IP Addresses and the Lotus site is
assigned the second IP Address {Virtual IP Address you can
say).
Any clues why it is not working. Thank you for your
response in advance.
- Next message: Daniel Schade \(remove NOSPAM.PLEASE for answer\): "IE did not show my client certificate"
- Previous message: JustMe_at_Home: "Re: How can I read FrontPage Admin/Author/Browse permissions for each subweb?"
- In reply to: John: "IIS 5.0 Windows Authenticion/NT Challenge Response"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: IIS 5.0 Windows Authenticion/NT Challenge Response"
- Reply: anonymous_at_discussions.microsoft.com: "Re: IIS 5.0 Windows Authenticion/NT Challenge Response"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
