Re: HTTP_AUTHORIZATION header

From: "David Wang [Msft]" <someone@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 24 Mar 2006 23:50:26 -0800

Can you explain how IIS can distinguish between you directly typing in the
address of the CGI in the address bar vs the FORM submit.

The answer is -- IIS cannot distinguish between those two cases. Thus, if
you see different behavior in those two situations, it's either client-side
variation or misunderstanding of the authentication protocol involved.

For NTLM, I do not expect HTTP Authorization header to be sent on the second
and subsequent requests after the initial negotiation completes.

For Basic, I expect the HTTP Authorization header to be sent on all
requests.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"AWillemsen" <AWillemsen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:47D24246-0A0F-4592-BA23-91A29232F5CF@xxxxxxxxxxxxxxxx

I am running IIS 5.1 on XP SP2. I have two virtual directories in the same
Web site that have anonymous access disabled - one contains HTML pages
and
the other contains a CGI executable. One of the HTML pages has a form
which
executes the CGI.

If I open a new browser window, and then open the HTML page with the form,
I
get asked for credentials (as expected). I then submit the form which
executes the CGI. The first 2 times I do this, IIS passes to the CGI the
AUTH_TYPE variable with the correct value (Basic or Negotiate, depending
on
which authentication scheme I have set up) but it does not pass the
HTTP_AUTHORIZATION variable. The 3rd and subsequent times, both variables
get passed.

Is this a bug in IIS?

Note that I tried authenticating against the CGI first, by opening a new
browser window and typing in the address of the CGI in the address bar.
This
asked me for credentials, as expected. If I then go to the HTML form and
submit it, the HTTP_AUTHORIZATION header gets passed to the CGI every
time.

Follow-Ups:
- Re: HTTP_AUTHORIZATION header
  - From: AWillemsen

Prev by Date: Re: 403 (Forbidden) after setting up SSL Redirect
Next by Date: Re: Single authentication for multiple IIS 6 servers
Previous by thread: Re: 403 (Forbidden) after setting up SSL Redirect
Next by thread: Re: HTTP_AUTHORIZATION header
Index(es):
- Date
- Thread

Relevant Pages

Re: HTTP_AUTHORIZATION header
... I do not believe IIS is distinguishing between the two cases you mention. ... I authenticate by displaying the HTML page containing the form, ... both result in the HTTP_AUTHORIZATION header not being sent to the CGI. ... I do understand the authentication protocols involved, ...
(microsoft.public.inetserver.iis.security)
Re: CGI under IIS throws away printf on multiple posts.
... IIS is not throwing away anything. ... will have to implement in CGI, by taking a server-side lock to prevent the ... session from performing the operation a second consecutive time. ... "application session" (IIS is a high-performance server. ...
(microsoft.public.inetserver.iis)
Re: 404 errors with cgi scripts
... the troubleshooting steps already exist. ... In F1 help in IIS ... 404 2 -- fail by Web Service Extension. ... It sounds like this CGI is one of them (it detects that it ...
(microsoft.public.inetserver.iis)
Re: HTTP_AUTHORIZATION header
... You can configure IIS to not keep-alive with: ... I have verified that the method of execution of the CGI - GET form, ... Display HTML page in directory A, ...
(microsoft.public.inetserver.iis.security)
Re: IIS 6.0 cgi process not running as same user as worker process?
... It only controls whether the CGI gets a console window when executing or not ... > It warns that it's inteneded for IIS 4 &5... ... >> elevate privileges (through impersonation), but any other code can only ...
(microsoft.public.inetserver.iis)