Re: a WWW-Authenticate header field that the server is not configured



On May 11, 2:39 am, Patrick <Patr...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi All,

I have  IIS6.0 website for which I wish to use SSL encryption. I did the
following to secure it.
1. II've set SSL port to 4043.  I have another app (App A) using port 443.
2. I secured the Application Directory using a Enterprise Root CA which I
created for App A (using built-in MS Certificate Service)
3. Uncheckked Anonymous Logon box and none of the  4 Authentication Access
boxes are checked.
4. I've Enabled Certificate Trust List (Under Secure Communications) and
imported the certificate into it so that  there is an entry under Current CTL.
5. For Client Certifcates, I have "Accept Client Certificates" selected. I
tried with "Ignore Client Certificates" as well.

When I try to access the site (https://myserver:4032), the browser spits out
the error message below:
"Web browser is sending a WWW-Authenticate header field that the Web server
is not configured to accept"

Obviously I've missed some config parameter somewhere and I can not just
figure it out. Help!

Thanks and Regards

Parick


1. Read the IIS documentation on how to set up Client Certificate
based Authentication. Your scenario requires -- Require Client
Certificate -- IIS requires some user token in order to process the
request, and if you turn off all IIS Authentication Methods as well as
make Client Certificate optional, it becomes possible to attempt
processing requests with no user token, which IIS will reject.

2. You say the website is listening on port 4043 but your example
request went to 4032. Since you are using non-default ports, I don't
know if this is typo or some other configuration behavior

3. Two problems with your observation:
"Web browser is sending a WWW-Authenticate header field that the Web
server is not configured to accept"
--> IIS does not send responses that look like that
--> Web browsers do not send WWW-Authenticate headers. Web Servers
send WWW-Authenticate headers telling the browser which authentication
method to use.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.



Relevant Pages

  • Re: Detailed description of Crypto API changes in MS04-011 available??
    ... > this authentication since 2001 I would like to know if there's> a detailed description of Crypto API changes which came with> the patch MS04-011 (especially the changes related to clients> certificates and CRL checking). ... > - Before this patch client certificates with a faulty CDP> were NOT seen as revoked from IIS 5!! ... Here's "How to use the Windows Server 2003 version of the ...
    (microsoft.public.platformsdk.security)
  • Re: PKI Problem
    ... checkboxes (e.g., Basic Authentication, etc.) at the bottom of the same ... You might try installing SSLDiag, then configure the website for "require ... However, whenever I set that option, IIS will freeze whenever ... If I set it to "Ignore Client Certificates" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Unable to authenticate via kerberos to IIS site accepting clie
    ... to an IIS 5.0 site using an "https:" address. ... Web service is accesed and the identity it sees comes from the ... On which network leg does the network proxy happen? ... When I configure the web service proxy to use client certificates it works ...
    (microsoft.public.inetserver.iis.security)
  • Detailed description of Crypto API changes in MS04-011 available??
    ... - Before this patch client certificates with a faulty CDP ... were NOT seen as revoked from IIS 5!! ... the patch they were rejected (even ones NOT on the CRL!) ...
    (microsoft.public.platformsdk.security)
  • A Simple question (I think!) re. IIS CRL Handling...
    ... past the "Next Update" date+time in the CRL: ... Will IIS consider this CRL "invalid"? ... Does IIS then consider all client certificates issued by this same CA ... if the IIS/system time/date is beyond the "Next Update" date/time plus ...
    (microsoft.public.inetserver.iis.security)