Re: IIS 5.0 Windows Authenticion/NT Challenge Response

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/31/04 

Date: Tue, 30 Mar 2004 14:41:02 -0800

Regarding your claims:
- The first response looks like it was for a request made to a vdir that has
anonymous authentication enabled on IIS. This is why I want you to prove
that the URL was made anonymously and whether the URL has anonymous access
disabled on IIS. If the URL doesn't have anonymous access enabled, then I
would see WWW-Authenticate response headers (but I do not see them). So,
you could have anonymous authentication enabled. Or you could be showing
auto-authenticated response, or you could have an ISAPI Filter doing custom
auth. In all cases, the issue is with your server configuration and not
core IIS behavior.
- The second response looks like the first leg of Integrated Authentication
handshake, which involves at least one 401 response with WWW-Authenticate
headers with the desired hash. Depending on which response in the handshake
you are showing me, this could be perfectly alright.

Basically, I think you have configuration issues/conflicts outside of IIS
control. If you have things properly configured, this is what should
happen:
1. You only have Integrated Authentication enabled on the entire website
2. If you make an anonymous request to it, it is rejected by a 401.2
3. If you make a NTLM request to it, first request is rejected by 401.1,
then on the second request of the handshake, the status code of the
response. You must have the correct username, password, and possibly
domain.

If you do not see this, then there is a configuration issue on your server
somewhere. If you have an ISAPI Filter installed, it could change IIS
behavior, especially if Basic authentication is enabled. If you have
anonymous authentication enabled for the URL, that would also affect the
outcome. If you have mixed authentication enabled on the website, then
depending on the client, behaviors could change.

Please verify that you do not have Anonymous authentication enabled at any
level of the website

You need to show me:
1. The exact request made in WFetch (make sure that "Reuse socket" is
unchecked at all times)
2. The entire response from WFetch for #1 (in particular for the Integrated
Authentication case since a hand shake has multiple request/responses).
3. The Authentication configuration in effect for the URL in #1
4. Any custom ISAPI Extensions or ISAPI Filters 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<anonymous@discussions.microsoft.com> wrote in message
news:152f301c415bf$dd8feb70$a501280a@phx.gbl...
Dave,
Thanks again. But, here is the response for the first one
which is Anonymous.
RESPONSE: **************\nHTTP/1.1 200 OK\r\n
Server: Microsoft-IIS/5.0\r\n
Date: Mon, 29 Mar 2004 18:55:24 GMT\r\n
Connection: close\r\n
Content-Type: text/html\r\n
Set-Cookie:
Witango_UserReference=7F00000146B6DE420D2B5232031A4068711A;
 path=/\r\n
\r\n
<HTML>\r\n
And here is the response for the NTLM with userid and
password
RESPONSE: **************\nHTTP/1.1 401 Access Denied\r\n
Server: Microsoft-IIS/5.0\r\n
Date: Mon, 29 Mar 2004 18:56:38 GMT\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAACgAKADAAAAAVgongnw6C03Zr+aYAAAAAAAAAADoAOgA
6AAAAUwBDAFcAVwBXAAIACgBTAEMAVwBXAFcAAQAQAEkATAA1ADAATgBUAE
kANwADABAAaQBsADUAMABuAHQAaQA3AAAAAAA=\r\n
Content-Length: 4033\r\n
Content-Type: text/html\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n<!DOCTYPE HTML
PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">\r\n
<html dir=ltr>\r\n
For me it looks that the first one Anonymous give me a 200
and goes in successful and the second one gives a 401
error.
What do you think?
>-----Original Message-----
>Ok, now that you have the URL, can you make the following
two requests in
>WFetch for me.
>1. GET /xyz/xyz/xyz/embedded.taf   using Anonymous
without "Reuse
>connection" checked
>2. GET /xyz/xyz/xyz/embedded.taf   using NTLM with a
valid username and
>password.
>
>- The response for #1 should return 401.2 in the entity
body.  Always.  This
>shows Anonymous is disabled and should address your
concerns
>- The response for #2 should first be 401.1 in the entity
body, and then a
>second response should end up being successful with 200.
This shows Windows
>Authentication is working.
>
>
>Based on what you have given, I only know that Windows
Authentication is
>enabled on the server.  I do not know if Anonymous is
disabled (so you need
>to make that first request and show me the results).
>
>
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
>"JOHN" <anonymous@discussions.microsoft.com> wrote in
message
>news:1365801c4128f$79c603a0$a401280a@phx.gbl...
>Dave,
>
>I placed the /xyz/xyz/xyz/embedded.taf in WFETCH Path and
>finally it got the following result:
>
>Note: But, I am successful in getting on to this location
>witout any problems and it goes in straight to the page.
>As if there was anonymous authentication allowed.
>
>The permissions on this folder is as follows:
>
>Everyone: RX
>user who can access this folder has: RX
>
>
>
>I have just changed the hostname part alone here.
>REQUEST: **************\nGET /xyz/xyz/xyz/embedded.taf
>HTTP/1.1\r\n
>Host: abc.xyz.com\r\n
>Accept: */*\r\n
>Connection: Keep-Alive\r\n
>Authorization: NTLM
>TlRMTVNTUAADAAAAAQABAFoAAAAAAAAAWwAAAAAAAABAAAAAAAAAAEAAAA
A
>aABoAQAAAABAAEABbAAAAFYqI4EkATAA1ADAATABUAEMANgAxADAASQBNA
E
>cAAOxEfhFH3cckOsEYBrwCrCw=\r\n
>\r\n
>RESPONSE: **************\nHTTP/1.1 401 Access Denied\r\n
>Server: Microsoft-IIS/5.0\r\n
>Date: Thu, 25 Mar 2004 17:26:45 GMT\r\n
>WWW-Authenticate: Negotiate\r\n
>WWW-Authenticate: NTLM\r\n
>Connection: close\r\n
>Content-Length: 4033\r\n
>Content-Type: text/html\r\n
>\r\n
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2
Final//EN">\r\n
><html dir=ltr>\r\n
>\r\n
><head>\r\n
><style>\r\n
>a:link                  {font:8pt/11pt verdana;
>color:FF0000}\r\n
>a:visited               {font:8pt/11pt verdana;
>color:#4e4e4e}\r\n
></style>\r\n
>\r\n
><META NAME="ROBOTS" CONTENT="NOINDEX">\r\n
>\r\n
><title>You are not authorized to view this
page</title>\r\n
>\r\n
><META HTTP-EQUIV="Content-Type" Content="text-html;
>charset=Windows-1252">\r\n
></head>\r\n
>\r\n
><script> \r\n
>function Homepage(){\r\n
><!--\r\n
>// in real bits, urls get returned to our script like
>this:\r\n
>//
>res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.h
t
>m \r\n
>\r\n
>\t//For testing use DocURL
>= "res://shdocvw.dll/http_404.htm#https://www.microsoft.co
m
>/bar.htm"\r\n
>\tDocURL=document.URL;\r\n
>\t\r\n
>\t//this is where the http or https will be, as found by
>searching for :// but skipping the res://\r\n
>\tprotocolIndex=DocURL.indexOf("://",4);\r\n
>\t\r\n
>\t//this finds the ending slash for the domain server \r\n
>\tserverIndex=DocURL.indexOf("/",protocolIndex + 3);\r\n
>\r\n
>\t//for the href, we need a valid URL to the domain. We
>search for the # symbol to find the begining \r\n
>\t//of the true URL, and add 1 to skip it - this is the
>BeginURL value. We use serverIndex as the end marker.\r\n
>\t//urlresult=DocURL.substring(protocolIndex -
>4,serverIndex);\r\n
>\tBeginURL=DocURL.indexOf("#",1) + 1;\r\n
>\turlresult=DocURL.substring(BeginURL,serverIndex);\r\n
>\t\t\r\n
>\t//for display, we need to skip after http://, and go to
>the next slash\r\n
>\tdisplayresult=DocURL.substring(protocolIndex +
>3 ,serverIndex);\r\n
>\tInsertElementAnchor(urlresult, displayresult);\r\n
>}\r\n
>\r\n
>function HtmlEncode(text)\r\n
>{\r\n
>    return text.replace(/&/g, '&amp').replace
>(/'/g, '&quot;').replace(/</g, '&lt;').replace
>(/>/g, '&gt;');\r\n
>}\r\n
>\r\n
>function TagAttrib(name, value)\r\n
>{\r\n
>    return ' '+name+'="'+HtmlEncode(value)+'"';\r\n
>}\r\n
>\r\n
>function PrintTag(tagName, needCloseTag, attrib, inner)
>{\r\n
>    document.write( '<' + tagName + attrib + '>' +
>HtmlEncode(inner) );\r\n
>    if (needCloseTag) document.write( '</' + tagName
>+'>' );\r\n
>}\r\n
>\r\n
>function URI(href)\r\n
>{\r\n
>    IEVer = window.navigator.appVersion;\r\n
>    IEVer = IEVer.substr( IEVer.indexOf('MSIE') + 5,
>3 );\r\n
>\r\n
>    return (IEVer.charAt(1)=='.' && IEVer >= '5.5') ?\r\n
>        encodeURI(href) :\r\n
>        escape(href).replace(/%3A/g, ':').replace(/%
>3B/g, ';');\r\n
>}\r\n
>\r\n
>function InsertElementAnchor(href, text)\r\n
>{\r\n
>    PrintTag('A', true, TagAttrib('HREF', URI(href)),
>text);\r\n
>}\r\n
>\r\n
>//-->\r\n
></script>\r\n
>\r\n
><body bgcolor="FFFFFF">\r\n
>\r\n
><table width="410" cellpadding="3" cellspacing="5">\r\n
>\r\n
>  <tr>  \r\n
>    <td align="left" valign="middle" width="360">\r\n
>\t<h1 style="COLOR:000000; FONT: 13pt/15pt verdana"><!--
>Problem-->You are not authorized to view this
page</h1>\r\n
>    </td>\r\n
>  </tr>\r\n
>  \r\n
>  <tr>\r\n
>    <td width="400" colspan="2">\r\n
>\t<font style="COLOR:000000; FONT: 8pt/11pt verdana">You
>do not have permission to view this directory or page
>using the credentials you supplied.</id></font></td>\r\n
>  </tr>\r\n
>  \r\n
>  <tr>\r\n
>    <td width="400" colspan="2">\r\n
>\t<font style="COLOR:000000; FONT: 8pt/11pt verdana">\r\n
>\t<hr color="#C0C0C0" noshade>\r\n
><p>Please try the following:</p>\r\n
>\r\n
><ul>\r\n
><li>Click the <a href="javascript:location.reload
>()">Refresh</a> button to try again with different
>credentials.</li>\r\n
>\r\n
><li>If you believe you should be able to view this
>directory or page, please contact the Web site
>administrator by using the e-mail address or phone number
>listed on the\r\n
> \r\n
>\t<script> \r\n
>\t<!--\r\n
>\tif (!((window.navigator.userAgent.indexOf("MSIE") > 0)
>&& (window.navigator.appVersion.charAt(0) == "2")))\r\n
>\t{\r\n
>\t\tHomepage();\r\n
>\t}\r\n
>\t//-->\r\n
>\t</script> home\r\n
>    page.</li>\r\n
></ul>\r\n
>\r\n
>    <h2 style="font:8pt/11pt verdana; color:000000">HTTP
>401.1 - Unauthorized: Logon Failed<br>\r\n
>    Internet Information Services</h2>\r\n
>\t\t\r\n
>\t<hr color="#C0C0C0" noshade>\r\n
>\t\r\n
>\t<p>Technical Information (for support personnel)</p>\r\n
>\t\r\n
><ul>\r\n
><li>More information:<br>\r\n
><a href="http://www.microsoft.com/ContentRedirect.asp?
>prd=iis&sbp=&pver=5.0&pid=&ID=401.1&cat=web&os=&over=&hrd=
&
>Opt1=&Opt2=&Opt3=" target="_blank">Microsoft
>Support</a>\r\n
></li>\r\n
>\r\n
>    </font></td>\r\n
>  </tr>\r\n
>  \r\n
></table>\r\n
></body>\r\n
></html>\r\n
>
>
>
>
>
>>-----Original Message-----
>>This is an invalid URL:
>>
>>GET xyz/xyz/xyz/embedded.taf HTTP/1.1
>>
>>And so IIS returned 400, which says absolutely nothing
>about your question
>>concerning authentication
>>
>>Please try this URL (note the '/' at the beginning of the
>URL) using
>>anonymous authentication:
>>GET /xyz/xyz/xyz/embedded.taf HTTP/1.1
>>
>>
>>You can use WFetch to send an NTLM request as well to
>show that only
>>"Windows Authentication" works but not Basic or
Anonymous.
>>
>>-- 
>>//David
>>IIS
>>This posting is provided "AS IS" with no warranties, and
>confers no rights.
>>//
>><anonymous@discussions.microsoft.com> wrote in message
>>news:12ca801c411d3$fffaba90$a401280a@phx.gbl...
>>Hi David,
>>
>>I downloaded the WFETCH tool and ran the tool and this is
>>the result I got out of it shown below. This is running
in
>>Anonymous mode. I don't see it returning any errors but
am
>>not sure, probably am not reading it properly.
>>
>>Do you see anything that is causing it to login
>>anonymously? The website URL and IP Address are just
>>examples since, I removed the original one.
>>
>>Thanks
>>John
>>
>>resolve hostname "abc.xyz.com"WWWConnect::Connect
>>("123.123.123.123","80")\nsource port: 3356\r\n
>>REQUEST: **************\nGET
>>xyz/xyz/xyz/embedded.taf HTTP/1.1\r\n
>>Host: abc.xyz.com\r\n
>>Accept: */*\r\n
>>Connection: Keep-Alive\r\n
>>\r\n
>>RESPONSE: **************\nHTTP/1.1 400 Bad Request\r\n
>>Server: Microsoft-IIS/5.0\r\n
>>Date: Wed, 24 Mar 2004 19:09:07 GMT\r\n
>>Connection: close\r\n
>>Content-Type: text/html\r\n
>>Content-Length: 87\r\n
>>\r\n
>><html><head><title>Error</title></head><body>The
parameter
>>is incorrect. </body></html>WWWConnect::Close
>>("123.123.123.123","80")\nclosed source port: 3356\r\n
>>
>>>-----Original Message-----
>>>It looks like the Web Browser machine happens to have
>>sufficient credentials
>>>to auto-login to the web server, which does not have
>>Anonymous enabled.  It
>>>only LOOKS like anonymous is allowed access, but that is
>>NOT the case.  If
>>>what you say is true, it would be a huge security hole
in
>>IIS; but I'm 100%
>>>what you say isn't true, so you just need an
explanation.
>>>
>>>The easiest way to prove this is to take a Network trace
>>of all traffic
>>>coming into the web server, and you will see whether an
>>anonymous request
>>>succeeds or not.  I'm sure you'll see 401.2 being
>>returned for the anonymous
>>>requests (which is good -- anonymous requests are all
>>rejected, as it
>>>should), and then you will see the web browser attempt
to
>>auto-login with
>>>NTLM a bunch of times (sequence of 401.2 and 401.1), and
>>upon successful
>>>auto-login, you will see a 200 and successful retrieval
>>of the content.
>>>
>>>The network trace will prove what is going on,
regardless
>>of all the
>>>automatic stuff that browsers do on your behalf.  Or you
>>can use a tool like
>>>WFetch which shows you exactly what is going when you
>>make a given request:
>>>http://www.microsoft.com/downloads/details.aspx?
>>FamilyID=56fc92ee-a71a-4c73-b628-
>>ade629c89499&DisplayLang=en
>>>
>>>-- 
>>>//David
>>>IIS
>>>This posting is provided "AS IS" with no warranties, and
>>confers no rights.
>>>//
>>>"John" <anonymous@discussions.microsoft.com> wrote in
>>message
>>>news:1158701c41021$20e91d50$a401280a@phx.gbl...
>>>I have got the "Default Web Site", Another Site created
>>>under the name say "Lotus" for example. This Lotus
>website
>>>is having a folder called Lotus1 which should be
accessed
>>>by people over the Internet through Windows
>Authentication
>>>method.
>>>
>>>I have disabled Anonymous access to this site and have
>>>only enabled Windows Authentication Mode. When, I access
>>>this site internally or externally through the Internet
>it
>>>still does not ask for a Windows Authentication instead
>it
>>>goes in directly to the page which we feel is not
secure.
>>>
>>>I am not sure this is happening in Windows NT 4.0 IIS
4.0
>>>Server as well as Windows 2000 IIS 5.0 server.
>>>
>>>This server has 2 IP Addresses and the Lotus site is
>>>assigned the second IP Address {Virtual IP Address you
>can
>>>say).
>>>
>>>Any clues why it is not working. Thank you for your
>>>response in advance.
>>>
>>>
>>>
>>>.
>>>
>>
>>
>>.
>>
>
>
>.
>