Re: Authentication troubles

From: Jerry (jerry.giacinto_at_ketteng.com.nospam.com)
Date: 03/24/04


Date: Wed, 24 Mar 2004 07:59:25 -0700

Ken,

  Thanks again for the helpful information!

  I have used Verisign in the past to purchase certificates for an Outlook
Web Access site. You are correct that I would prefer to use a certificate
that the browsers already trust. Is this the case with certificates created
using Microsoft's Certificate Services? (i.e., do browsers already trust
those certificates?) I'll look into it today to see if I can find an
answer. Of course, you have to purchase a certificate from Verisign, but
I'd have to read up on what the cost gets you that using MS Certificate
Services doesn't.

Thank you again,
  Jerry

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OYbiM1TEEHA.2308@tk2msftngp13.phx.gbl...
> Hi Jerry,
>
> Integrated Windows Authentication offers two authentication mechanisms:
> a) Kerberos (not supported by Windows 9x)
> -and-
> b) NTLM v2
>
> If you have enabled IWA, then the Win95 client can not be used Kerberos
> (unless you've installed the separate AD client as well. Additionally,
> Kerberos authentication requires that the client be able to contact the
> Domain Controllers directly, which is unlikely)
>
> So, I think you are using NTLM v2. Note, I'm pretty sure NTLM v2 includes
> support for NTLM (unless you disable this manually, eg by switching to
> Windows 2000 Native Mode on your DCs, or by setting a reg key on
stand-alone
> servers).
>
> You can either get a cert from a commerical authority, or use Microsoft
> Certificate Services (or you own CA software). However, in order for users
> not to get a warning about the validity of the cert, they will need to
trust
> the CA (eg by importing the CA's root certificate - possible to do in an
> intranet/extranet scenario - not so feasible if this is a public website
> viewable by the public at large), or you need to use a commercial provider
> like Thawte or Verisign, where the browser already has trust for the CA
> built-in by the manufacturer (eg Microsoft).
>
> Follow this if you want to setup SSL using MS Cert Services:
> http://support.microsoft.com/?id=299525
>
> Cheers
> Ken
>
>
> "Jerry" <jerry.giacinto@ketteng.com.nospam.com> wrote in message
> news:e7CJXeOEEHA.2564@TK2MSFTNGP11.phx.gbl...
> : Thanks for your responses, Ken and Bernard.
> :
> : I don't think that he is using NTLM v.2, but I'm really not sure how
to
> : tell. The reason I think that he's not is because I know it's not
> "default"
> : behavior for Win 9x clients, and I setup his computer to begin with.
> : However, one of my tests was to enable NTLM v.2 per MS KB Q239869
> : (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q239869). When
> : that didn't work, I removed the registry change that forced NTLM v.2.
Now
> : that I think of it, I never tried the setting to force LM and NTLM
only -
> : may be worth a shot.
> :
> : I should've mentioned that the web server is not part of a domain.
Good
> : idea, though.
> :
> : As for SSL, I actually would prefer that myself. Is the only way to
> : enable SSL to purchase a security certificate from a company such as
> : Verisign? And, if so, once I have the certificate, how do I apply it
just
> : to the Virtual Directory in IIS (the web folder)? When I view the
> : properties for the virtual directory, the Server Certificate button is
> : grayed out. Currently, the web folder is a virtual directory under the
> : actual website. So users access it as www.domainname.com/webfolder, for
> : example. I think that's the only way for me to set it up. I guess I
> would
> : apply the certificate at the site level and require secure
communications
> at
> : the web folder level?
> :
> : Thanks and best regards,
> : Jerry
> :
> : "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> : news:e1MRgvJEEHA.3980@TK2MSFTNGP09.phx.gbl...
> : > If user are coming from the internet, I would suggest you configured
> Basic
> : > Auth with SSL.
> : >
> : > --
> : > Regards,
> : > Bernard Cheah
> : > http://support.microsoft.com/
> : > http://www.msmvps.com/bernard/
> : >
> : >
> : > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : > news:eyehAOIEEHA.3372@TK2MSFTNGP10.phx.gbl...
> : > > a) NTLM v2 authentication does not work through most proxy servers,
> : > because
> : > > it requires an open end-to-end connection between server and client
> for
> : a
> : > > couple of back-and-forward messages. If there is a proxy server
> between
> : > him
> : > > and your server, NTLM v2 authentication will most likely fail
> : > >
> : > > b) Ensure that he is including the appropriate Domain Name in the
user
> : > > crentials: Domain\Username, otherwise IIS will use the local
machine,
> : i.e.
> : > > assume that the user wants WebServerName\UserName which may not be a
> : valid
> : > > account.
> : > >
> : > > Cheers
> : > > Ken
> : > >
> : > > "Jerry" <jerry.giacinto@ketteng.com.nospam.com> wrote in message
> : > > news:%232d11lGEEHA.2908@TK2MSFTNGP09.phx.gbl...
> : > > : I have a web folder setup on IIS 5 on Win 2K server. The
> : > authentication
> : > > : level is set to Integrated Windows Authentication, and I do not
> allow
> : > > : anonymous access. It wouldn't matter if I did, because the folder
> and
> : > > it's
> : > > : contents have specific NTFS permissions. This has been working
well
> : for
> : > > all
> : > > : clients accessing it until now.
> : > > :
> : > > : One client is running Win 98 se with IE 5.5 SP2 - current on all
> : > > patches.
> : > > : When the user tries to connect from that machine using IE, he gets
> : > > prompted
> : > > : three times for a username and password, then it gives the "You
are
> : not
> : > > : authorized to view this page" message in IE. When he tries to add
> the
> : > web
> : > > : folder in Windows Explorer, he gets prompted three times, then
gets
> : the
> : > > : message, "You do not have permission to access this web folder
> : > location."
> : > > : All I get in the IIS log is a 401 entry, but no error messages or
> : > > indication
> : > > : of what is happening.
> : > > :
> : > > : When I switch the authentication to Basic, he is able to logon
> just
> : > > fine.
> : > > : It appears that the username is not being received correctly by
IIS
> : > > because
> : > > : he is not able to lock out the account after enough tries with an
> : > > : intentionally wrong password (but it can be done by a client that
is
> : > able
> : > > to
> : > > : logon normally).
> : > > :
> : > > : He is running Roadrunner-provided hi-speed internet with Norton
> : > Personal
> : > > : Firewall. He has tried with the firewall software disabled, but
> that
> : > did
> : > > : not work. I have verified that the server will accept LM, NTLM,
and
> : > NTLM
> : > > : v.2 requests. I have verified his IE Security and Advanced
settings
> : > with
> : > > a
> : > > : similar client that is able to logon correctly. I am running out
of
> : > > ideas.
> : > > : The only thing I can figure is that Roadrunner may have something
in
> : > their
> : > > : setup that is not allowing this to function - but that seems like
a
> : > > : longshot.
> : > > :
> : > > : Although I have found several posts dealing with Integrated
> Windows
> : > > : Authentication and logon failures, I have not found any that solve
> or
> : > > : explain my circumstance. Any help would be greatly appreciated.
> : > > :
> : > > : One side note about the IIS logs - when it logs his attempt to
> : > connect,
> : > > : his client information is listed as
> : > > : (compatible;+MSIE+5.5;+Windows+98;+T312461). I looked up the
> T312461
> : > > : because it doesn't show up on any other clients that I've seen,
even
> : if
> : > > they
> : > > : are current on MS patches. It does not appear to be part of the
> : > > : authentication problem, but I'm including it just in case it
sticks
> : out
> : > to
> : > > : someone.
> : > > :
> : > > : Thanks for your help,
> : > > : Jerry
> : > > :
> : > > :
> : > >
> : > >
> : >
> : >
> :
> :
>
>



Relevant Pages

  • Digital sign a driver for XP and Vista
    ... My company has just bought a Class 3 certificate from Verisign to digitally sign some drivers. ... The driver is made up by a .inf file, a .sys file and a .dll file. ... SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 ...
    (microsoft.public.development.device.drivers)
  • Re: RSA vs AES
    ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ...
    (sci.crypt)
  • Re: SSL Certificate Chaining
    ... > So, we'd like to chain our cert off a Verisign cert that we purchase, so ... All you have to do is to purchase a SSL server ... You could also buy a much cheaper e-mail protection certificate, ...
    (comp.security.misc)
  • Re: Your digital ID name cannot be found by the underlying security system
    ... This morning I received email from VeriSign indicating that apparently I ... Although I do not have a private key recovery feature, ... replaced the certificate 3 times already and still it will not work. ...
    (microsoft.public.outlook)
  • RE: How to Release-Sign a Kernel Module
    ... Let's say my company decides to buy VeriSign certificate, I guess, this is ... How it is related to Verisign MSCV-VSClass3.cer file that I can download ... Or some additional driver testing is ... How to Release-Sign a Kernel Module ...
    (microsoft.public.development.device.drivers)