Authorize HTTPHeader

B

Bill Belliveau

Hi all, I’m trying to read a values out of the ‘authorization’ host header. I can get the values easily enough, but the ‘authorization’ header is somewhat allusive.

For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal – future auth not required/port secure]

The site does not allow anonymous connections so I assume the first two steps happen at an IIS level with ASP.NET having no knowledge. It seems that it should be possible to determine the successful second request with credentials. Unfortunately I am only seeing spotty results on the connection.

If I run in debug [(A) –> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate with the exact same machine settings.
If I deploy the project to an intermediary server [A –> (B) –> Server] sometimes B sees the authorization requests, sometimes not.

I am passing good credentials and reciving validation because even when I'm not seeing the Authorization header (writing to the event log), the site is still allowing access - the vdir is restricted to Integrated Windows Authentication.

[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.GetValues(header))
{
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue);
if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");}
try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");}
try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.Convert.FromBase64String(tail));
}
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I’m looking to determine if the client browser’s authorization scheme is NTLMSSP, I just can’t reliably get this information.

Thanks for any ideas,
Bill
 
B

bruce barker

if you use ntml, then it goes like theis

client -> server [request]
client <- server [401 ntml] -- list valid auth protocols

client ->server [ntlm challenge] connection left open
client <- server [ntlm response] connection left open

client->server [request] (no auth header required - as the authencation was
already done)
client<-server [response 200]


as ntml requires keepalive (http 1.1), the auth header is not sent on every
request.

-- bruce (sqlwork.com)


Bill Belliveau said:
Hi all, I'm trying to read a values out of the 'authorization' host
header. I can get the values easily enough, but the 'authorization' header
is somewhat allusive.
For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal - future auth not required/port secure]

The site does not allow anonymous connections so I assume the first two
steps happen at an IIS level with ASP.NET having no knowledge. It seems
that it should be possible to determine the successful second request with
credentials. Unfortunately I am only seeing spotty results on the
connection.
If I run in debug [(A) -> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate
with the exact same machine settings.
If I deploy the project to an intermediary server [A -> (B) -> Server]
sometimes B sees the authorization requests, sometimes not.
I am passing good credentials and reciving validation because even when
I'm not seeing the Authorization header (writing to the event log), the site
is still allowing access - the vdir is restricted to Integrated Windows
Authentication.
[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.GetValues(header))
{
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue);
if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");}
try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");}
try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.Convert.FromBase64String(ta
il));
}
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I'm looking to determine if the client browser's authorization
scheme is NTLMSSP, I just can't reliably get this information.
 
B

Bill Belliveau

Thanks for the information Bruce

Progress
By taking the code out of Session_Start and moving it to Application_AuthenticateRequest I am able to see the authorization header every time. Session_Start would return authorization however it seemed rather sporadic

We are building an interoffice application that will utilize Windows Authentication. By reading the authorization host header we should be able to determine if ‘Integrated Windows Authentication’ (IWA) is available. I’ve been told in IE 5.5 it’s always enabled and in IE 6 it appears as a checkbox; (Tools ->Internet Options -> Advanced -> Security -> Enable Integrated Windows Authentication

The code snippet should determine if this box is checked in IE 6. I’ve understand after decoding the authorization header, the first seven characters should be NTLMSSP when IWA is enabled. Test cases are a bit confusing however
Our product reads the Active Directory, so the test cases are

A = Local machine hosting sit
B = Remote machine hosting sit
C = Active Director
Local [A -> C
Remote [A -> B - >C

Location / IWA checkbox (IE6) / Auth Type / Auth decode

Local / enabled / negotiate / NTLMSSP (success
Local / disabled / NTML / NTLMSSP (success
Remote / enabled / negotiate / != NTLMSSP (success
Remote / disabled / NTLM / NTLMSSP (failure

This information isn’t very useful or I’m doing something wrong

Using Application_AuthenticateRequest brings up a second issue, it appears that the Application_AuthenticateRequest executes before Session_Start, consequently there isn’t a session. Without a session I don’t know who to give the error to at a later time

Any and all feedback is appreciated
Bill
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
474,123
Messages
2,570,736
Members
47,289
Latest member
KathrynSta

Latest Threads

Top