Re: Basic Authentication fails with Error 401.2 where Integrated s

Glad to hear a good resolution.

Yeah, ISAPI Filter (and ISAPI Extension) are low-level extensions/
modifications of IIS server behavior. Thus, they are my most likely
culprits whenever IIS is not behaving the way it should.

It sounds like the ISAPI Filter is doing one standard Custom
Authentication pattern where the authenticated user credential is not
a real Windows user. What basically happens is the ISAPI Filter
hijacks SOME authentication pattern (in this case, the Basic
authentication pattern) to make the browser pop up the login dialog
and send over the username/password, base64 decode the credentials,
authenticate against its own database, then alter the Authorization:
string to anonymous in SF_NOTIFY_PREPROC_HEADERS event (remember, the
username/password is not a real Windows user, so it cannot allow IIS
to see it past SF_NOTIFY_PREPROC_HEADERS because then IIS will try to
login with it, fail, and return 401.1).

The net effect is that you must have Anonymous authentication enabled
everywhere you want this custom Authentication filter to work, and the
filter hijacks the Basic Authentication pattern to pop up the login
dialog box. Of course, this filter destroys anyone trying to use Basic
authentication, but that's really a bug in the ISAPI filter in that it
implements an authentication protocol that does not peacefully coexist
with other protocols.

Another way for the filter to get the username/password is to send
back a HTML page that POSTs the username/password back to the server.
This will not require the filter to hijack the Basic authentication
pattern and thus allow it to co-exist with other authentication
schemes, but it *still* requires Anonymous authentication to be
enabled.

Anyways, this topic gets confusing complicated really quick, depending
on the custom ISAPI Filter code... so I'll stop here. :-)


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//








On Oct 30, 2:24 am, Jude Fisher <JudeFis...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
David,

And please verify that there is no GLOBAL ISAPI FILTER -- you only

mentioned the ISAPI Filters tab for each website but not the global
ISAPI Filters tab for all website

Thank you, this was the issue.

I didn't realise the Web Sites folder in IIS manager threw up a global
properties dialog. My host had helpfully installed a control panel (Matrix)
which included a custom ISAPI filter called "Log In Filter". Removing that
solved the problem immediately. It would have been nice, of course if the
host (Fasthosts) could have told me about this but all their support was able
to do was offer to restore the server from scratch in order to repair the
problem they were certain I had caused. Not useful.

Thanks also to Roger for the time spent on this.

Jude Fisher / JcFx.Eu



"David Wang" wrote:
You want to read the URL that I mentioned in my prior response to make
sure that Basic Authentication is allowed to function on your server.

I suspect the problem is either:
1. some security module running on network packets stripping off
Authorization: Basic header and causing IIS to return 401.2 before
even invoking any security login code of IIS
2. some security lockdown performed on the colo server that is
preventing basic authentication (and probably other things - we just
don't know what) from working within IIS

It is harder to validate #2 because it comes down to setting-by-
setting comparison of a working server with your server. I don't want
to get into that situation because I'd rather have the colo server
company tell me what they HAVE changed (they should have those changes
listed in an automation script somewhere since they built the server
for you) instead of trying to ask everyone else what could/not have
changed.

#1 requires that you validate with something like Network Monitor on
the server itself that the Authorization: Basic header is received by
the IIS web server (and not removed by some network security module).
And please verify that there is no GLOBAL ISAPI FILTER -- you only
mentioned the ISAPI Filters tab for each website but not the global
ISAPI Filters tab for all websites. At the same time, no Wildcard
Application Mapping for *ANY* of the Application mapping settings
applicable to the URL under question. There's no simple command to do
this -- because we are talking about deep, internal server
modifications (potentially made by other setup programs), one has to
know how IIS works to uncover what other setup programs have
configured.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

On Oct 29, 3:17 am, Jude Fisher <JudeFis...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Further to the above, here are the results of the MS Authentication & Access
Control Diagnostics tool. These are from the directory I want to be working
with rather than the /test one but the settings and results are identical.
Where it says COMPUTERNAME\
ACCOUNTNAME, this is the account that I am trying to grant access to:

---------------------------------------------------------------------------­--
Check Permissions Results
Status Result
Verifying: D:\home\Clients\Marketing4Tradesmen\cpi\*
Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL
Check of D:\home\Clients\Marketing4Tradesmen\cpi\* complete, no errors
Diagnostics complete
---------------------------------------------------------------------------­--
View Permissions Results

D:\home\Clients\Marketing4Tradesmen\cpi\.
COMPUTERNAME\USERNAME: (OI)(CI)F
D:\home\Clients\Marketing4Tradesmen\cpi\order-postprocess.aspx
COMPUTERNAME\USERNAME: F

Diagnostics complete

View Site Configuration
W3SVC/1 Default
ServerState Server started
ServerBindings :80:
AuthFlags 5 (0x5) "AuthAnonymous | AuthNTLM"
---------------------------------------------------------------------------­--
Authentication Results Url:http://localhost/clients/Marketing4Tradesmen/cpi/

AnonymousUserPass logon failed Path:W3SVC

AuthType:Anonymous AnonymousPasswordSync
The current configuration requires IIS subauthentication. However, the IIS
subauthentication component, iissuba.dll, is not currently configured.
Path:W3SVC

AuthType:Anonymous
AnonymousPasswordSync
The current configuration uses IIS subauthentication for anonymous
authentication. This requires that the worker process be configured to run as
the Local System identity, which is not recommended for security reasons.
Path:W3SVC

AuthType:Anonymous
must be domain member Path:W3SVC

AuthType:Kerberos
Basic authentication is not a secure authentication protocol. You should
consider using Secure Sockets Layer (SSL) for added security.
Path:W3SVC/1/ROOT/clients/Marketing4Tradesmen/cpi
AuthType:Basic

Test Authentication

[THIS POPS A DIALOG BOX. VERIFYING THE PASSWORD FORTHE USER I AM WORKING
WITH RETURNS THE RESULT 'SUCCESS'. AUTHENTICATING THIS USER RETURNS:]
Server's response: HTTP/1.1 401 Unauthorized
Learn about IIS status codes

Path:W3SVC/1/ROOT/clients/Marketing4Tradesmen/cpi
AuthType:Basic

Diagnostics complete
---------------------------------------------------------------------------­--
Server Permissions Results

Verifying: C:\WINDOWS\help\iishelp\common\*
Account: BUILTIN\Administrators Access type: FULL
Account: NT AUTHORITY\SYSTEM Access type: FULL
Account: COMPUTERNAME\IIS_WPG Access type: READ
Account: BUILTIN\Users Access type: READ | EXECUTE
Check of C:\WINDOWS\help\iishelp\common\* complete, no errors

Verifying: C:\WINDOWS\IIS Temporary Compressed Files\*
Account: BUILTIN\Administrators Access type: FULL
Account: NT AUTHORITY\SYSTEM Access type: FULL
Account: COMPUTERNAME\IIS_WPG Access type: READ | WRITE
Account: CREATOR OWNER Access type: FULL
CREATOR OWNER does not have 'FULL' access to .
Check of C:\WINDOWS\IIS Temporary Compressed Files\* complete, errors found

Verifying: C:\WINDOWS\system32\inetsrv\*
Account: BUILTIN\Administrators Access type: FULL
Account: NT AUTHORITY\SYSTEM Access type: FULL
Check of C:\WINDOWS\system32\inetsrv\* complete, no errors

Verifying: C:\WINDOWS\system32\inetsrv\*
Account: BUILTIN\Users Access type: READ | EXECUTE
BUILTIN\Users does not have 'READ | EXECUTE' access to ASP Compiled
Templates
BUILTIN\Users does not have 'READ | EXECUTE' access to History
BUILTIN\Users does not have 'READ | EXECUTE' access to
MBSchema.bin.00000000h
BUILTIN\Users does not have 'READ | EXECUTE' access to MBSchema.xml
BUILTIN\Users does not have 'READ | EXECUTE' access to MetaBase.xml
Check of C:\WINDOWS\system32\inetsrv\* complete, errors found

Verifying: C:\WINDOWS\system32\inetsrv\ASP Compiled Templates\*
Account: COMPUTERNAME\IIS_WPG Access type: READ
Check of C:\WINDOWS\system32\inetsrv\ASP Compiled Templates\* complete, no
errors

Verifying: C:\inetpub\adminscripts\*
Account: BUILTIN\Administrators Access type: FULL
Check of C:\inetpub\adminscripts\* complete, no errors

Verifying: C:\WINDOWS\system32\Logfiles\*
Account: BUILTIN\Administrators Access type: FULL
Check of C:\WINDOWS\system32\Logfiles\* complete, no errors

Diagnostics complete

System Information:

System time Mon, 29 Oct 2007 10:05:15 GMT
OS Windows 2003 Service Pack 2
W3SVC IIS6 - World Wide Web Publishing service is running
MSFTPSVC IIS6 - FTP Publishing service is not started
Host name COMPUTERNAME
Dns suffix jcfx.eu
Workgroup name WORKGROUPNAME
ModuleFileName C:\Program Files\IIS Resources\AuthDiag\authdiag.exe version:
1.0:43.0

"Jude Fisher" wrote:
David,

1) Just as a check I used NET USER /ADD on my test account and as expected
it told me the user account already existed.

2) No ISAPI filters are listed for any of the websites on this computer.

3) I didn't set the server up myself (this is a dedicated server from a
major UK host) but I can't see anything in Local Security Settings that could
be causing the issue - is there anything specific I should be looking for,?

"David Wang" wrote:

When I see weird and erratic behavior, my first question is "do you
have custom ISAPI Filter installed on the server". Both global as well
as per-site.

The password dialog is supposed to appear for Basic authentication
*unless* the client is allowed to auto-login with Basic. That's not
allowed by default for security reasons. You hardly want the browser
to automatically hand over your login password to ANY website which
asks for it, right?

Thinking more esoterically now -- what are the login rights assigned
to your test user. IIS uses a specific login type (configurable), so
ability to login via remote desktop is insufficient proof that IIS can
login that user. See this URL for more info:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Librar....

Usually the defaults when you just create a user via NET USER name
password /ADD will suffice, but sometimes Group Policies of a domain
can alter this behavior (even if you've unjoined this machine from a
domain).

Are you sure you don't have a proxy or network policy/device which is
simply forbidding Basic authentication altogether (because it exposes
the user's password)? For example, it'd be really easy for such a
proxy or network device (or even ISAPI Filter...) to simply strip off
the Authorization:

...

read more »- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: Unable to upload files over 1MB
    ... must look for limits imposed by custom software *outside* of IIS ... this server and limiting content-length would prevent uploads. ... When talking about arbitrary binaries like ISAPI Filter or ISAPI ... Global ISAPI Filter ...
    (microsoft.public.inetserver.iis.security)
  • Re: Blocked word in URL
    ... We have 3 servers with iis and the others is working normally. ... The only isapi filter is asp.net_2, ... Created a /scripts virtual directory that points to a random folder. ... what ISAPI filters exist on your server. ...
    (microsoft.public.inetserver.iis)
  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
    (Securiteam)
  • Re: Problem with connect computer wizard
    ... Make sure the Windows XP client is pointing to the SBS 2003 server as ... Please collect the IIS metabase and the latest IIS log files further ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: IIS Key pairs (how to export an IIS 4.0 self-issued Root CA a nd import into new IIS 4.0 box)
    ... IIS key to an Intel SSL acelerator ... it issues client certificates to the end users. ... Step I - Installing the New Server ... Install NT SP 3 ONLY ...
    (Focus-Microsoft)