Re: Digest access to UNC share
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 04/30/05
- Previous message: David Wang [Msft]: "Re: IIS Challenge for Password. WinXP authenticates differently than Win2k."
- In reply to: Alan van der Vyver: "Digest access to UNC share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Apr 2005 20:01:48 -0700
> This occus, even if the authenticating account is a
> domain administrator. It is also clearly not a
> straightforward permissions problem, because
> the account has access when using basic authentication.
Actually, this is a very straight forward problem. The concept you are
missing is "delegation".
> It is almost as if, IIS does not have enough or the
> correct information to complete the network
> request when using digest authentication, but
> somehow does have what it needs for local access.
Here is the basic problem. Assume that the remote user authenticates to the
front-end web server using some user identity. Why should the front-end web
server be able to re-use that user identity to access resources on another
server unknown to the remote user?
Before you scoff at the question by saying "why, that's what most websites
do", consider a more pointed example. Suppose a user authenticates to the
web server, why should the web server be able to use your identity to
withdraw all the money from your bank.
Both examples are exactly the same thing to the web server, yet clearly you
want one to happen while the other to NOT happen. How you control this is
through delegation and using an authentication protocol that supports
delegation.
Basic authentication is implicit delegation. It passes the username/password
to the server, who can use it at will. The user only hopes that the server
doesn't do something bad with the implicit trust. Kerberos supports
delegation. NTLM/Digest do not support delegation. This should explain what
you are seeing.
Here is a URL that explains a bit more:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx
Thus, if you want the client to use digest and also want delegated access to
backend UNCs, a easy solution is to use Windows Server 2003 and protocol
transition to do this securely. Of course, you can always re-invent the
wheel by implementing your own custom authentication protocol instead of
using the openly designed Kerberos protocol, but then you are in charge of
all the security details.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Alan van der Vyver" <alanv@worldnet.att.net> wrote in message news:uUsvB2PTFHA.2676@TK2MSFTNGP10.phx.gbl... Hi! I am trying to set up webDAV folders using digest authentication. The event log shows the account authenticating correctly and everything works when trying to access a folder that is on the web server, but when trying to access a folder on another machine through a UNC name, after 3 attempts, IIS returns: "You are not authorized to view this page - You do not have permission to view this directory or page due to the access control list (ACL) that is configured for this resource on the Web server." This occus, even if the authenticating account is a domain administrator. It is also clearly not a straightforward permissions problem, because the account has access when using basic authentication. It is almost as if, IIS does not have enough or the correct information to complete the network request when using digest authentication, but somehow does have what it needs for local access. Any help would be appreciated. regards, Alan.
- Previous message: David Wang [Msft]: "Re: IIS Challenge for Password. WinXP authenticates differently than Win2k."
- In reply to: Alan van der Vyver: "Digest access to UNC share"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
