Re: HTTP_AUTHORIZATION header

David - thank you for your reply. I now know a little more about NTLM - your
comments were appreciated.

I have checked out your suspicions, as follows:

1. AuthFlags is set to 2 (AuthBasic) for the entire site. I have checked
that the directory security has been propogated down from the entire set
settings to each of the two directories. The CGI reports AUTH_TYPE=Basic, as
well as the username and password that I authenticated with.

2. I have tested on two completely separate networks - one internal in the
US, and one in my home in the UK. I have even tested with no Internet
connection, and all exhibit the same behaviour. I can be fairly confident
that it is not a network setting or a proxy server.

3. I don't think I have installed any custom ISAPI filters - the only
active ones are as follows: sspifilt, Compression, md5filt, pwsdata and
ASP.NET_2.0.50727.42.

Note that the problem only occurs if I open a new browser window, request an
HTML file from one virtual directory, and then immediately execute a CGI from
another virtual directory. Authentication happens when I request the HTML
file.

I have done some more digging. On running AuthMon and doing the steps in
the preceding paragraph, I noticed that the first time I execute the CGI, I
get two AuthMonRows and no HTTP_AUTHORIZATION variable. The same thing
happens the second I time I execute the CGI. However, the third time I
execute it, I get four AuthMonRows and this time I do get an
HTTP_AUTHORIZATION variable. The fourth execution reverts to two
AuthMonRows. Here is the relevant section of the AuthMon log:

<AuthMonRow Number="100" tid="0x1b58" Date="03/27/2006 09:47:34.906"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>

<AuthMonRow Number="101" tid="0x1b58" Date="03/27/2006 09:47:34.906"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>


<AuthMonRow Number="102" tid="0x2b58" Date="03/27/2006 09:48:26.656"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>

<AuthMonRow Number="103" tid="0x2b58" Date="03/27/2006 09:48:26.656"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>


<AuthMonRow Number="104" tid="0x2b58" Date="03/27/2006 09:48:35.328"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>

<AuthMonRow Number="105" tid="0x2b58" Date="03/27/2006 09:48:35.328"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>

<AuthMonRow Number="106" tid="0x1b58" Date="03/27/2006 09:48:35.328"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>

<AuthMonRow Number="107" tid="0x1b58" Date="03/27/2006 09:48:35.328"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>


<AuthMonRow Number="108" tid="0x1b58" Date="03/27/2006 09:49:17.593"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>

<AuthMonRow Number="109" tid="0x1b58" Date="03/27/2006 09:49:17.593"
Name="OnNewRequest" Url="/Scripts/Test.exe"
/>

Hopefully, I will be testing another Web server today.

Thanks, Andrew


"David Wang [Msft]" wrote:

I cannot reproduce your claims on my XPSP2 IIS5.1 based on your
instructions. So, I believe your observations are isolated to just your
network.

I used both WFetch and IE6.

I use WFetch to make a Basic authenticated POST request against my CGI EXE
which returns HTTP_AUTHORIZATION (amongst many other server variables and
environment variables).

My CGI returns HTTP_AUTHORIZATION on first and every response.

I see the expected HTTP_AUTHORIZATION on all IE6-based Basic requests, too.

What I suspect is happening in your situation are:
1. Your server is not configured how you think. Make sure AuthFlags is
correct value for your URL
2. A misconfiguration in your networking. Maybe proxy server is doing NTLM
for you somehow
3. A custom ISAPI Filter on the server that is munging the Authorization:
header according to arbitrary logic

FYI: Nitpick on your stated understanding of authentication protocols -
Authorization: header is not expected for every request for NTLM
authentication request.
- It is required for every Basic authenticated request (since HTTP is
stateless, the fact that one request is basic authenticated means nothing
for the subsequent request, hence all requests must send Authorization:
header for Basic authentictaion
- It is required for initial NTLM handshake and not required thereafter
(NTLM uses TCP connection as state. Thus after first authenticated request,
all subsequent requests over the same connection is considered authenticated
and hence Authorization: header is not required for those subsequent
requests).

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"AWillemsen" <AWillemsen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:21DD82C6-74A2-4EEC-8D77-33C2159BA543@xxxxxxxxxxxxxxxx
I do not believe IIS is distinguishing between the two cases you mention.
If
I authenticate by displaying the HTML page containing the form, then it
does
not matter whether I execute the form or type the address of the CGI in -
both result in the HTTP_AUTHORIZATION header not being sent to the CGI.
IIS
passes the AUTH_TYPE and AUTH_USER (for Basic) headers, so the browser has
definitely authenticated. But it does not pass the HTTP_AUTHORIZATION
header
on the first form or CGI execution. This happens in both IE 6 and Firefox
1.5, and on multiple client machines, so I don't think it's client
variation.
I have also tried it on two other server machines, both running IIS 5.0,
and
it happens there too.

I do understand the authentication protocols involved, and I do expect the
HTTP_AUTHORIZATION header to be sent on every request, regardless of
whether
Basic or NTLM is used. And this does indeed happen - once the header is
sent, it is always sent.

From what I've seen, this does appear to be a bug in IIS...


"David Wang [Msft]" wrote:

Can you explain how IIS can distinguish between you directly typing in
the
address of the CGI in the address bar vs the FORM submit.

The answer is -- IIS cannot distinguish between those two cases. Thus, if
you see different behavior in those two situations, it's either
client-side
variation or misunderstanding of the authentication protocol involved.

For NTLM, I do not expect HTTP Authorization header to be sent on the
second
and subsequent requests after the initial negotiation completes.

For Basic, I expect the HTTP Authorization header to be sent on all
requests.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no
rights.
//

"AWillemsen" <AWillemsen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:47D24246-0A0F-4592-BA23-91A29232F5CF@xxxxxxxxxxxxxxxx
I am running IIS 5.1 on XP SP2. I have two virtual directories in the
same
Web site that have anonymous access disabled - one contains HTML pages
and
the other contains a CGI executable. One of the HTML pages has a form
which
executes the CGI.

If I open a new browser window, and then open the HTML page with the
form,
I
get asked for credentials (as expected). I then submit the form which
executes the CGI. The first 2 times I do this, IIS passes to the CGI
the
AUTH_TYPE variable with the correct value (Basic or Negotiate,
depending
on
which authentication scheme I have set up) but it does not pass the
HTTP_AUTHORIZATION variable. The 3rd and subsequent times, both
variables
get passed.

Is this a bug in IIS?

Note that I tried authenticating against the CGI first, by opening a
new
browser window and typing in the address of the CGI in the address bar.
This
asked me for credentials, as expected. If I then go to the HTML form
and
submit it, the HTTP_AUTHORIZATION header gets passed to the CGI every
time.







.