Re: IIS (or Isapi) adds 'Connection' header to response

Your issue is with your code (either ISAPI or CGI) and not with IIS6 and
MSIE.

I would never rely on a bug in a browser implementation as the means to get
my solution to work. Basically, two wrongs don't make a right:
1. Your ISAPI/CGI causes a response with multiple conflicting Connection:
headers. That is your bug
2. Firefox ignoring Connection: headers is also a bug

If either of you fixes your bug, your "solution" breaks. That doesn't sound
like a real solution to me. :-)


> I dont currently have access to the ISAPI code. It would be
> great if there was a debug flag in IIS to help diagnose
> response transition before/during/after 3rd party code.

IIS6 in Windows Server 2003 SP1 has ETW Tracing which does exactly this. Not
available on any other IIS version.


I presume your ISAPI/CGI is the only thing that is forwarding requests from
the IIS gatewary to your Servlet Engine (and you have code in the Servlet
Container that subsequently unwraps any forwarded metadata and performs
man-in-the-middle attack as appropriate to hack in the user name).

Thus, if all you want is the authenticated username from IIS in the Servlet
Container, you should:
1. Let IIS finish authenticating the remote user using whatever protocol you
defined in IIS
2. After authentication is complete, AUTH_USER is populated. You can use an
ISAPI Extension to forward the request to your Servlet Container at this
point, SANS the Authorization: NTLM header since it is no longer useful. You
can pass AUTH_USER value via any request header. You may even forward the
request using:
Authorization: Basic <Base64 Encoding of AUTH_USER>

I can tell you the one approach that won't work -- you cannot write an
ISAPI/CGI which merely passively captures and redirects NTLM traffic from
IIS to another server and then attempt to implement NTLM authentication on
that server. That is by definition a man-in-the-middle attack against the
protocol and thus thwarted by the authentication protocol.

What I am having you do is also a man-in-the-middle attack, but it is not
against the protocol but rather at the end point of the protocol (i.e. I'm
having you let IIS finish authentication and then independently fudge with
the details afterwards). You're not attacking the protocol and thus should
work.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"jimbob" <jsmyth1969@xxxxxxxxx> wrote in message
news:1135313560.385444.121190@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Wade,
>
> thanks for your excellent response!
>
> First, my issue is only with MSIE (I am using v6). Firefox (can I
> mention this on an MS group?) ignores the connection: close header in
> the response and sends the type 3 message anyway. This may be a fault
> or feature in firefox, but I know which way I see it!
>
> Unfortunately your top 3 answers can be discounted:
>
> 1. I have a CGI and an ISAPI version of my gateway. I mentioned that
> AFAIK CGI would not support keep-alive, so my described issue was
> related to my ISAPI module. (moreover I am seeing the same behaviour
> with IIS 6!)
>
> 2. A '200' reponse from my servlet container does not end up with a
> Connection close header.
>
> 3. I see a content-length header in the response (ethereal and
> ieHTTPHeaders)
>
> I dont currently have access to the ISAPI code. It would be great if
> there was a debug flag in IIS to help diagnose response transition
> before/during/after 3rd party code.
>
> The purpose of all this is to be able to determine (in the servlet
> container) who is logged in to the remote windows box. I realise this
> is apparently easy in a pure windows/asp world, but in my case I need
> this info to be available outside this realm. In my scenario my ISAPI
> plugin is configured for anonymous-auth only - in this way I can get
> the HTTP_AUTHORIZATION header in my app server by following the NTLM
> challenge/response mechanism. If there was another way to effectivley
> pass remote windows username to a CGI/ISAPI module it would make life
> MUCH easier. (Note - I have been googling a lot and just found that
> maybe if I set integrated windows auth in IIS it will populate the
> environment variable AUTH_USER - will try this)
>
> Thanks again for your reply - and I will have a look at
> microsoft.public.platformsdk.internet.server.isapi-dev to see if there
> is anything else about this!
>
> rgds
> jim
>


.

Relevant Pages

  • experiment supports concept of using host header names as securit y layer
    ... ISAPI filters can't evaluate a request until a virtual site has been ... selected and its set of running ISAPI filters has become known to the IIS ... As a quick experiment in using a host header name as a security device, ...
    (Focus-Microsoft)
  • Re: How can I set "remote_user" in ISAPI filter/Extension?
    ... No. Server Variables are read-only entities representative of the ... would IIS want to parse the Authorization header for anonymous auth? ... Clients make Anonymous request ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISAPI vs. HTTPModule
    ... which parses the request and dispatches it to IIS in usermode. ... extension of the request is determined, and then sent to its handler. ... > ISAPI will not be able to access any .Net intrinsics/events. ...
    (microsoft.public.inetserver.iis)
  • Re: IIS Isolation Mode
    ... We create some files and read some files in the ISAPI. ... something that requires local system privileges, and if it doesn't have it, ... would guess that the IIS 5 version will work correctly on IIS 6, since ADSI ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS error with ISAPI and virtual directory to remote svr .. 40
    ... Web Server on machine B ... In particular, with some authentication protocols, your ISAPI ... Then immediately stop IIS. ... virtual directory it impersonates with 'user a''s account for security ...
    (microsoft.public.inetserver.iis)