Digest Authentication of account in Trusted Domain fails with WebDAV

From: Jannie Hanekom (no-one@localhost)
Date: 04/23/03 

From: "Jannie Hanekom" <no-one@localhost>
Date: Wed, 23 Apr 2003 21:11:03 +0100

Hi

I've got a set-up with two Windows 2000 Active Directory domains (A trusts
B) and a Windows 2000 web server (member of domain A). I use Digest
Authentication on the IIS web server. Reversible encryption is enabled and
enforced on both domains. All machines are current with critical updates.

When accessing a WebDAV resource on the server, Basic Authentication to both
domains work properly, but Digest Authentication only works for accounts in
domain A (where the web server is.) Looking at the log files, it seems as
if specifying the domain name as part of the user name (as in
DOMAIN-B\administrator) is incorrectly parsed, as the following data
results:

Event ID: 529
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: \administrator
  Domain: B
  Logon Type: 3
  Logon Process: IIS

Note that User Name is '\administrator' - account name prefixed with a '\'.
A quick test to specify the 'default' domain of the web server (i.e.
DOMAIN-A\administrator) confirms this apparent bug, with a similar 529
event, only this time the domain is listed as A.

In the IIS log files, the username shows up as DOMAIN-A\\administrator.

Specifying the UPN in the format administrator@domain-a.local doesn't work
either. This is not a Web-Folders client bug, as using a different WebDAV
client (Macromedia Dreamweaver, WebDrive, DAV Explorer) yields the same
results.

In a nutshell, this apparent bug prevents IIS from authenticating accounts
in trusted domains using Digest Authentication, which according to the
documentation should work. Any ideas on how to fix or work around this
problem?

Jannie

Relevant Pages

  • Re: Please help, directory level protection needed.
    ... The last time I had to deal with IIS ... > you rely on the Web Server to implement a check to control access. ... >> I am trying to implement a secure software update directory. ... >> http request will require basic authentication. ...
    (microsoft.public.inetserver.iis.security)
  • RE: NT/2000 vs Unix based Web Servers
    ... Both systems IIS and Apache, not to mention Netscape or iPlanet (are ... strips the machine down to being a web server and nothing else. ... in the case of media software from the likes of SUN of SGI then it could ... Admin as well and I have setup load balancing on SGI, Linux, Windows, ...
    (Security-Basics)
  • PWS and IIS and W2K Pro
    ... There's a common misconception floating around that Windows 2000 ... Its believed that PWS (Personal Web Server) on W2K Professional is ... Either can be used on a W2K Professional Box which has installed IIS ... install Visual Studio's Visual Interdev. ...
    (NT-Bugtraq)
  • Re: Permissions issue from DMZ to local domain
    ... explorer when sitting at the keyboard of your web server. ... The way I would do it, assuming the iis server is not joined to the windows ... > virtual site on DMZ pointing to jpg image on Local domain. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Integrated Windows Authentication
    ... NTLM authentication, both of which are represented by Windows Integrated. ... to the resource is not a member of the same domain as the web server. ... |>Subject: Integrated Windows Authentication ...
    (microsoft.public.inetserver.iis.security)
Quantcast