Solved

HTTP Authentification

Posted on 2001-07-10
10
245 Views
Last Modified: 2010-04-11
Hello,

I have a little security problem on a Web server. It is not severe as nobody can enter the system ;-)
Let me explain.

I have a web server connected to the internet. This web server is in a domain called "A". On one page, I have restricted the access to some people. Inside the domain it is OK.

My problem is when someone on another domain wants to connect to this page usign the internet, he receives the message : HTTP 401.3 - Access denied by ACL on resource and the browser doesn't ask him his name/login !!!!

To complicate, I can also have the same user name as in the A domain but in the other domain, I have a different password !!!

Thanks,

Laurent.
0
Comment
Question by:lthiry
  • 6
  • 4
10 Comments
 
LVL 9

Expert Comment

by:TTom
ID: 6269255
Laurent:

I have a feeling that your web server is configured to allow anonymous access.  I think if you remove that capability from the site, the browser will be forced to request login credentials.

Once that is accomplished, the user is free to enter a username which includes a domain designation.  In some cases (I am not sure exactly how this works) the login dialog has a specific input area for "domain"; in other cases, the domain can prefix the user name (domain\user).

HTH,

Tom
0
 

Author Comment

by:lthiry
ID: 6269293
Tom,

Your feeling is right, but some parts of the site have to be public and some have to be private. If I turn off the anonymous acces, I think I won't have the public access anymore ??

Laurent.
0
 

Author Comment

by:lthiry
ID: 6269315
Tom,

I have created another server and put the page. When I try to acces, it says HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services
Thanks,

Laurnet.
0
 

Author Comment

by:lthiry
ID: 6269611
Tom,

On the microsoft Web site, I have found
HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services
CAUSE
The authentication methods that were tried are either disabled, or you are attempting to use NTLM through a proxy server.

Which is about the case. I have no proxy, but a router/firewall before the web server !

regards,

Laurent.
0
 
LVL 9

Expert Comment

by:TTom
ID: 6269912
Laurent:

With IIS, you can specify whether or not you want Anonymous access on each individual directory.  This setting coordinates with NT security.

If you want people to log in, set the IIS virtual directory to disallow Anonymous access and be sure that the NT file permissions on the appropriate directory are such that valid users can access the files.

If you need public access, enable Anonymous access and be sure the NT file permissions on the directory are set so that "Everyone" can read the files.

We will have to see what effect the firewall has on this, but, presumably, if your server is already viewable to the public, it should not be restricting access.

Tom
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:lthiry
ID: 6269925
I have removed the Anonymous acces and I get

HTTP 401.2 - Unauthorized: Logon failed due to server configuration

Laurent.
0
 
LVL 9

Accepted Solution

by:
TTom earned 100 total points
ID: 6270099
Have you enabled (either) Basic Authentication or NT C/R?  Either one should force a login dialog box, but NT C/R might be trying to do the login transparently.  I would first test with Basic Authentication to see if the login box appears.  Once you have that, it will mean the permissions are set properly in both IIS and NT.

Tom
0
 

Author Comment

by:lthiry
ID: 6272640
Tom,

I have tried Basic authentification. It worked OK.
I have tried digest and it works, so I have turned basic and all is fine. Thank you very much,

Is Digest authentification secure ?

Laurent.
0
 
LVL 9

Expert Comment

by:TTom
ID: 6273099
Hmmm.  Not sure about "Digest" authentication.  I am only familiar with Basic and NT Challenge/Response.  If NT C/R is synonymous with Digest, it is MORE secure than Basic.  If you are using Basic for ANY external communication, you MUST use SSL or your user information will be readily available to any hacker with a mind to get it.

The problem with NT C/R is that Netscape does not support it.

Tom
0
 

Author Comment

by:lthiry
ID: 6273158
Digest Authentication
A new feature of IIS 5.0, Digest authentication offers the same features as Basic authentication but involves a different way of transmitting the authentication credentials. The authentication credentials pass through a one-way process, often referred to as hashing. The result of this process is called a hash, or message digest, and it is not feasible to decrypt it. That is, the original text cannot be deciphered from the hash.

Digest authentication proceeds as follows:

The server sends the browser certain information which will be used in the authentication process.
The browser adds this information to its user name and password plus some other information and performs a hash on it. The additional information will help to prevent someone from copying of the hash value and using it over again.
The resulting hash is sent over the network to the server along with the additional information in clear text.
The server then adds the additional information to a plain text copy it has of the client's password and hashes all of the information.
The server than compares the hash value it received with the one it just made.
Access is granted only if the two numbers are absolutely identical.
The additional information is added to the password before hashing so that no one can capture the password hash and use it to impersonate the true client. Values are added that help to identify the client, the client's computer, and the realm, or domain, the client belongs to. As well, a time stamp is added to prevent a client from using a password after it has been revoked.

This a clear advantage over Basic authentication, in which the password can be intercepted and used by an unauthorized person. Digest authentication is structured to be usable across proxy servers and other firewall applications and is available to Web Distributed Authoring and Versioning (WebDAV). Because Digest authentication is a new HTTP 1.1 feature, not all browsers support it. If a non-compliant browser makes a request on a server that requires Digest authentication, the server will reject the request and send the client an error message. Digest authentication is supported only for domains a with Windows 2000 domain controller.

Important   Digest authentication will complete only if the domain server for which a request is made has a plain-text copy of the requesting user's password. Because the domain controller has plain-text copies of passwords, it must be secured from both physical and network attacks. For more information about securing a domain controller, see the Microsoft Windows 2000 Server Resource Kit.

Note   A hash value consists of a small amount of binary data, typically no more than 160 bits. This value is produced by using a hashing algorithm. All hash values share the following properties, regardless of the algorithm used:

Hash length The length of the hash value is determined by the type of algorithm used, and its length does not vary with the size of the message. The message can be several kilobytes or several gigabytes, it doesn't matter. The most common hash value lengths are either 128 or 160 bits.
Non-discoverability Every pair of nonidentical messages will translate into a completely different hash value, even if the two messages differ only by a single bit. Using today's technology, it is not feasible to discover a pair of messages that translate to the same hash value.
Repeatability Each time a particular message is hashed using the same algorithm, the exact same hash value will be produced.
Irreversibility All hashing algorithms are one-way. Given a hash value, it is impossible to recover the original message, even given the hashing algorithm. In fact, none of the properties of the original message can be determined given the hash value alone.

regards,

Laurent.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now