Re: IIS 5.0 Windows Authenticion/NT Challenge Response

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/25/04 

Date: Wed, 24 Mar 2004 18:41:08 -0800

This is an invalid URL:

GET xyz/xyz/xyz/embedded.taf HTTP/1.1

And so IIS returned 400, which says absolutely nothing about your question
concerning authentication

Please try this URL (note the '/' at the beginning of the URL) using
anonymous authentication:
GET /xyz/xyz/xyz/embedded.taf HTTP/1.1

You can use WFetch to send an NTLM request as well to show that only
"Windows Authentication" works but not Basic or Anonymous. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<anonymous@discussions.microsoft.com> wrote in message
news:12ca801c411d3$fffaba90$a401280a@phx.gbl...
Hi David,
I downloaded the WFETCH tool and ran the tool and this is
the result I got out of it shown below. This is running in
Anonymous mode. I don't see it returning any errors but am
not sure, probably am not reading it properly.
Do you see anything that is causing it to login
anonymously? The website URL and IP Address are just
examples since, I removed the original one.
Thanks
John
resolve hostname "abc.xyz.com"WWWConnect::Connect
("123.123.123.123","80")\nsource port: 3356\r\n
REQUEST: **************\nGET
xyz/xyz/xyz/embedded.taf HTTP/1.1\r\n
Host: abc.xyz.com\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 400 Bad Request\r\n
Server: Microsoft-IIS/5.0\r\n
Date: Wed, 24 Mar 2004 19:09:07 GMT\r\n
Connection: close\r\n
Content-Type: text/html\r\n
Content-Length: 87\r\n
\r\n
<html><head><title>Error</title></head><body>The parameter
is incorrect. </body></html>WWWConnect::Close
("123.123.123.123","80")\nclosed source port: 3356\r\n
>-----Original Message-----
>It looks like the Web Browser machine happens to have
sufficient credentials
>to auto-login to the web server, which does not have
Anonymous enabled.  It
>only LOOKS like anonymous is allowed access, but that is
NOT the case.  If
>what you say is true, it would be a huge security hole in
IIS; but I'm 100%
>what you say isn't true, so you just need an explanation.
>
>The easiest way to prove this is to take a Network trace
of all traffic
>coming into the web server, and you will see whether an
anonymous request
>succeeds or not.  I'm sure you'll see 401.2 being
returned for the anonymous
>requests (which is good -- anonymous requests are all
rejected, as it
>should), and then you will see the web browser attempt to
auto-login with
>NTLM a bunch of times (sequence of 401.2 and 401.1), and
upon successful
>auto-login, you will see a 200 and successful retrieval
of the content.
>
>The network trace will prove what is going on, regardless
of all the
>automatic stuff that browsers do on your behalf.  Or you
can use a tool like
>WFetch which shows you exactly what is going when you
make a given request:
>http://www.microsoft.com/downloads/details.aspx?
FamilyID=56fc92ee-a71a-4c73-b628-
ade629c89499&DisplayLang=en
>
>-- 
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
>"John" <anonymous@discussions.microsoft.com> wrote in
message
>news:1158701c41021$20e91d50$a401280a@phx.gbl...
>I have got the "Default Web Site", Another Site created
>under the name say "Lotus" for example. This Lotus website
>is having a folder called Lotus1 which should be accessed
>by people over the Internet through Windows Authentication
>method.
>
>I have disabled Anonymous access to this site and have
>only enabled Windows Authentication Mode. When, I access
>this site internally or externally through the Internet it
>still does not ask for a Windows Authentication instead it
>goes in directly to the page which we feel is not secure.
>
>I am not sure this is happening in Windows NT 4.0 IIS 4.0
>Server as well as Windows 2000 IIS 5.0 server.
>
>This server has 2 IP Addresses and the Lotus site is
>assigned the second IP Address {Virtual IP Address you can
>say).
>
>Any clues why it is not working. Thank you for your
>response in advance.
>
>
>
>.
>

Relevant Pages

  • Re: WM5 can not sync to exchange
    ... I checked all the authentication settings and they are as you requested. ... After running the internet connection wizard I had to uncheck the Require ... On the SBS 2003 Server open the Server Management console. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)
  • RE: WM5 can not sync to exchange
    ... code 85010014 during ActiveSync with SBS. ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)
  • Re: WM5 can not sync to exchange
    ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... Collect the IIS metabase on Exchange Server and send to me: ...
    (microsoft.public.windows.server.sbs)
  • Re: Need help configuring Wireless Connection profile
    ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless ... Vaillancourt,4155,1,4154,Use Windows authentication for all ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Nokia E50 ActiveSync problem with SBS2003 SP2
    ... Open IIS Manager ... Open properties of virtual directory OMA ... Click Start on your SBS server, ... And then please verify Authentication settings by the following steps. ...
    (microsoft.public.windows.server.sbs)