Solved

HTTP Authentification

Posted on 2001-07-10
10
246 Views
Last Modified: 2010-04-11
Hello,

I have a little security problem on a Web server. It is not severe as nobody can enter the system ;-)
Let me explain.

I have a web server connected to the internet. This web server is in a domain called "A". On one page, I have restricted the access to some people. Inside the domain it is OK.

My problem is when someone on another domain wants to connect to this page usign the internet, he receives the message : HTTP 401.3 - Access denied by ACL on resource and the browser doesn't ask him his name/login !!!!

To complicate, I can also have the same user name as in the A domain but in the other domain, I have a different password !!!

Thanks,

Laurent.
0
Comment
Question by:lthiry
  • 6
  • 4
10 Comments
 
LVL 9

Expert Comment

by:TTom
ID: 6269255
Laurent:

I have a feeling that your web server is configured to allow anonymous access.  I think if you remove that capability from the site, the browser will be forced to request login credentials.

Once that is accomplished, the user is free to enter a username which includes a domain designation.  In some cases (I am not sure exactly how this works) the login dialog has a specific input area for "domain"; in other cases, the domain can prefix the user name (domain\user).

HTH,

Tom
0
 

Author Comment

by:lthiry
ID: 6269293
Tom,

Your feeling is right, but some parts of the site have to be public and some have to be private. If I turn off the anonymous acces, I think I won't have the public access anymore ??

Laurent.
0
 

Author Comment

by:lthiry
ID: 6269315
Tom,

I have created another server and put the page. When I try to acces, it says HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services
Thanks,

Laurnet.
0
 

Author Comment

by:lthiry
ID: 6269611
Tom,

On the microsoft Web site, I have found
HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services
CAUSE
The authentication methods that were tried are either disabled, or you are attempting to use NTLM through a proxy server.

Which is about the case. I have no proxy, but a router/firewall before the web server !

regards,

Laurent.
0
 
LVL 9

Expert Comment

by:TTom
ID: 6269912
Laurent:

With IIS, you can specify whether or not you want Anonymous access on each individual directory.  This setting coordinates with NT security.

If you want people to log in, set the IIS virtual directory to disallow Anonymous access and be sure that the NT file permissions on the appropriate directory are such that valid users can access the files.

If you need public access, enable Anonymous access and be sure the NT file permissions on the directory are set so that "Everyone" can read the files.

We will have to see what effect the firewall has on this, but, presumably, if your server is already viewable to the public, it should not be restricting access.

Tom
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 

Author Comment

by:lthiry
ID: 6269925
I have removed the Anonymous acces and I get

HTTP 401.2 - Unauthorized: Logon failed due to server configuration

Laurent.
0
 
LVL 9

Accepted Solution

by:
TTom earned 100 total points
ID: 6270099
Have you enabled (either) Basic Authentication or NT C/R?  Either one should force a login dialog box, but NT C/R might be trying to do the login transparently.  I would first test with Basic Authentication to see if the login box appears.  Once you have that, it will mean the permissions are set properly in both IIS and NT.

Tom
0
 

Author Comment

by:lthiry
ID: 6272640
Tom,

I have tried Basic authentification. It worked OK.
I have tried digest and it works, so I have turned basic and all is fine. Thank you very much,

Is Digest authentification secure ?

Laurent.
0
 
LVL 9

Expert Comment

by:TTom
ID: 6273099
Hmmm.  Not sure about "Digest" authentication.  I am only familiar with Basic and NT Challenge/Response.  If NT C/R is synonymous with Digest, it is MORE secure than Basic.  If you are using Basic for ANY external communication, you MUST use SSL or your user information will be readily available to any hacker with a mind to get it.

The problem with NT C/R is that Netscape does not support it.

Tom
0
 

Author Comment

by:lthiry
ID: 6273158
Digest Authentication
A new feature of IIS 5.0, Digest authentication offers the same features as Basic authentication but involves a different way of transmitting the authentication credentials. The authentication credentials pass through a one-way process, often referred to as hashing. The result of this process is called a hash, or message digest, and it is not feasible to decrypt it. That is, the original text cannot be deciphered from the hash.

Digest authentication proceeds as follows:

The server sends the browser certain information which will be used in the authentication process.
The browser adds this information to its user name and password plus some other information and performs a hash on it. The additional information will help to prevent someone from copying of the hash value and using it over again.
The resulting hash is sent over the network to the server along with the additional information in clear text.
The server then adds the additional information to a plain text copy it has of the client's password and hashes all of the information.
The server than compares the hash value it received with the one it just made.
Access is granted only if the two numbers are absolutely identical.
The additional information is added to the password before hashing so that no one can capture the password hash and use it to impersonate the true client. Values are added that help to identify the client, the client's computer, and the realm, or domain, the client belongs to. As well, a time stamp is added to prevent a client from using a password after it has been revoked.

This a clear advantage over Basic authentication, in which the password can be intercepted and used by an unauthorized person. Digest authentication is structured to be usable across proxy servers and other firewall applications and is available to Web Distributed Authoring and Versioning (WebDAV). Because Digest authentication is a new HTTP 1.1 feature, not all browsers support it. If a non-compliant browser makes a request on a server that requires Digest authentication, the server will reject the request and send the client an error message. Digest authentication is supported only for domains a with Windows 2000 domain controller.

Important   Digest authentication will complete only if the domain server for which a request is made has a plain-text copy of the requesting user's password. Because the domain controller has plain-text copies of passwords, it must be secured from both physical and network attacks. For more information about securing a domain controller, see the Microsoft Windows 2000 Server Resource Kit.

Note   A hash value consists of a small amount of binary data, typically no more than 160 bits. This value is produced by using a hashing algorithm. All hash values share the following properties, regardless of the algorithm used:

Hash length The length of the hash value is determined by the type of algorithm used, and its length does not vary with the size of the message. The message can be several kilobytes or several gigabytes, it doesn't matter. The most common hash value lengths are either 128 or 160 bits.
Non-discoverability Every pair of nonidentical messages will translate into a completely different hash value, even if the two messages differ only by a single bit. Using today's technology, it is not feasible to discover a pair of messages that translate to the same hash value.
Repeatability Each time a particular message is hashed using the same algorithm, the exact same hash value will be produced.
Irreversibility All hashing algorithms are one-way. Given a hash value, it is impossible to recover the original message, even given the hashing algorithm. In fact, none of the properties of the original message can be determined given the hash value alone.

regards,

Laurent.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now