?
Solved

HTTP Authentification

Posted on 2001-07-10
10
Medium Priority
?
253 Views
Last Modified: 2010-04-11
Hello,

I have a little security problem on a Web server. It is not severe as nobody can enter the system ;-)
Let me explain.

I have a web server connected to the internet. This web server is in a domain called "A". On one page, I have restricted the access to some people. Inside the domain it is OK.

My problem is when someone on another domain wants to connect to this page usign the internet, he receives the message : HTTP 401.3 - Access denied by ACL on resource and the browser doesn't ask him his name/login !!!!

To complicate, I can also have the same user name as in the A domain but in the other domain, I have a different password !!!

Thanks,

Laurent.
0
Comment
Question by:lthiry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 9

Expert Comment

by:TTom
ID: 6269255
Laurent:

I have a feeling that your web server is configured to allow anonymous access.  I think if you remove that capability from the site, the browser will be forced to request login credentials.

Once that is accomplished, the user is free to enter a username which includes a domain designation.  In some cases (I am not sure exactly how this works) the login dialog has a specific input area for "domain"; in other cases, the domain can prefix the user name (domain\user).

HTH,

Tom
0
 

Author Comment

by:lthiry
ID: 6269293
Tom,

Your feeling is right, but some parts of the site have to be public and some have to be private. If I turn off the anonymous acces, I think I won't have the public access anymore ??

Laurent.
0
 

Author Comment

by:lthiry
ID: 6269315
Tom,

I have created another server and put the page. When I try to acces, it says HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services
Thanks,

Laurnet.
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:lthiry
ID: 6269611
Tom,

On the microsoft Web site, I have found
HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services
CAUSE
The authentication methods that were tried are either disabled, or you are attempting to use NTLM through a proxy server.

Which is about the case. I have no proxy, but a router/firewall before the web server !

regards,

Laurent.
0
 
LVL 9

Expert Comment

by:TTom
ID: 6269912
Laurent:

With IIS, you can specify whether or not you want Anonymous access on each individual directory.  This setting coordinates with NT security.

If you want people to log in, set the IIS virtual directory to disallow Anonymous access and be sure that the NT file permissions on the appropriate directory are such that valid users can access the files.

If you need public access, enable Anonymous access and be sure the NT file permissions on the directory are set so that "Everyone" can read the files.

We will have to see what effect the firewall has on this, but, presumably, if your server is already viewable to the public, it should not be restricting access.

Tom
0
 

Author Comment

by:lthiry
ID: 6269925
I have removed the Anonymous acces and I get

HTTP 401.2 - Unauthorized: Logon failed due to server configuration

Laurent.
0
 
LVL 9

Accepted Solution

by:
TTom earned 400 total points
ID: 6270099
Have you enabled (either) Basic Authentication or NT C/R?  Either one should force a login dialog box, but NT C/R might be trying to do the login transparently.  I would first test with Basic Authentication to see if the login box appears.  Once you have that, it will mean the permissions are set properly in both IIS and NT.

Tom
0
 

Author Comment

by:lthiry
ID: 6272640
Tom,

I have tried Basic authentification. It worked OK.
I have tried digest and it works, so I have turned basic and all is fine. Thank you very much,

Is Digest authentification secure ?

Laurent.
0
 
LVL 9

Expert Comment

by:TTom
ID: 6273099
Hmmm.  Not sure about "Digest" authentication.  I am only familiar with Basic and NT Challenge/Response.  If NT C/R is synonymous with Digest, it is MORE secure than Basic.  If you are using Basic for ANY external communication, you MUST use SSL or your user information will be readily available to any hacker with a mind to get it.

The problem with NT C/R is that Netscape does not support it.

Tom
0
 

Author Comment

by:lthiry
ID: 6273158
Digest Authentication
A new feature of IIS 5.0, Digest authentication offers the same features as Basic authentication but involves a different way of transmitting the authentication credentials. The authentication credentials pass through a one-way process, often referred to as hashing. The result of this process is called a hash, or message digest, and it is not feasible to decrypt it. That is, the original text cannot be deciphered from the hash.

Digest authentication proceeds as follows:

The server sends the browser certain information which will be used in the authentication process.
The browser adds this information to its user name and password plus some other information and performs a hash on it. The additional information will help to prevent someone from copying of the hash value and using it over again.
The resulting hash is sent over the network to the server along with the additional information in clear text.
The server then adds the additional information to a plain text copy it has of the client's password and hashes all of the information.
The server than compares the hash value it received with the one it just made.
Access is granted only if the two numbers are absolutely identical.
The additional information is added to the password before hashing so that no one can capture the password hash and use it to impersonate the true client. Values are added that help to identify the client, the client's computer, and the realm, or domain, the client belongs to. As well, a time stamp is added to prevent a client from using a password after it has been revoked.

This a clear advantage over Basic authentication, in which the password can be intercepted and used by an unauthorized person. Digest authentication is structured to be usable across proxy servers and other firewall applications and is available to Web Distributed Authoring and Versioning (WebDAV). Because Digest authentication is a new HTTP 1.1 feature, not all browsers support it. If a non-compliant browser makes a request on a server that requires Digest authentication, the server will reject the request and send the client an error message. Digest authentication is supported only for domains a with Windows 2000 domain controller.

Important   Digest authentication will complete only if the domain server for which a request is made has a plain-text copy of the requesting user's password. Because the domain controller has plain-text copies of passwords, it must be secured from both physical and network attacks. For more information about securing a domain controller, see the Microsoft Windows 2000 Server Resource Kit.

Note   A hash value consists of a small amount of binary data, typically no more than 160 bits. This value is produced by using a hashing algorithm. All hash values share the following properties, regardless of the algorithm used:

Hash length The length of the hash value is determined by the type of algorithm used, and its length does not vary with the size of the message. The message can be several kilobytes or several gigabytes, it doesn't matter. The most common hash value lengths are either 128 or 160 bits.
Non-discoverability Every pair of nonidentical messages will translate into a completely different hash value, even if the two messages differ only by a single bit. Using today's technology, it is not feasible to discover a pair of messages that translate to the same hash value.
Repeatability Each time a particular message is hashed using the same algorithm, the exact same hash value will be produced.
Irreversibility All hashing algorithms are one-way. Given a hash value, it is impossible to recover the original message, even given the hashing algorithm. In fact, none of the properties of the original message can be determined given the hash value alone.

regards,

Laurent.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question