Authorization HTML Header going missing

[Shaun Wilde]

I am not sure if this is a .NET bug/feature and IIS5 one or a combination of
the 2 so here goes

I have a situation where when I call an ASP.NET webservice running under
windows 2000 (I assume IIS5) with a webservice client also in .NET that the
webservice request loses the Authorization HTML header.

This DOES NOT happen under Windows 2003.

I am using the followng (patch/fix) to preauthenticate the web request (this
is from a KB article, or newsgroup article I think)

Protected Overrides Function GetWebRequest(ByVal uri As System.Uri) As
System.Net.WebRequest
Dim webReq As System.Net.WebRequest = MyBase.GetWebRequest(uri)
If Me.PreAuthenticate Then
Dim cred As System.Net.NetworkCredential =
Me.Credentials.GetCredential(uri, "Basic")
If Not cred Is Nothing Then
Dim buff As Byte() = New
System.Text.UTF8Encoding().GetBytes(cred.UserName & ":" & cred.Password)
webReq.Headers("Authorization") = "Basic " &
Convert.ToBase64String(buff)
End If
End If
Return webReq
End Function


Also webservice and client are running under the same process/application -
long story but it is to fake the fact that the server we are supposed to
talk to isn't available yet.

i.e. under my webservice I have 2 folders - in one folder I have the .asmx
files that our web application talks to and under the other folder I have a
..asmx that responds the way the 3rd party service is supposed to
with requests to the first folder causing a request to the second.

I hope someone can tell me what is going on.

Regards

Shaun

 

[Steven Cheng[MSFT]]

Hi Shaun,

Thanks for your posting. From your description, you've an asp.net web
service which make use of the Http header to store some authentication
tokens. But you found this header will lose when you host the webservice on
win2k server (works ok on 2003 server) ,yes?

From the client code you provided, seems you're using the WebRequest class
to consume the webservie rather than use the wsdl.exe to generate the
client proxy ,yes? Since the using HttpHeader to store authentication info
will make the webservice reply on the underlying protocal, generally, we
recommend that we use th SOAP HEADER to store such info.
would you consider using the SoapHeader or if there is any certain concerns
on this, please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Shaun Wilde]

Hi Steven

No what happens is that when the client talks to the server hosted on the
same machine the Authorization header goes missing. However when the
client running on the windows 2000 talks to a different machine (Windows
2003)
then the Authorization header is there

I used the .NET tools (wsdl.exe) to generate my client and servers based on
the WSDL
(generated by the java syatem we need to talk to) and then used the
information from
the following newsgroup to override the web request to get preauthentication
to work
(http://groups.google.co.uk/groups?q=GetWebRequest+Authorization&hl=en&lr=&s
elm=%23euI3BFUCHA.2832%40tkmsftngp10&rnum=5)

Unfortunately using the SOAP Header isn't an option as it is not supported
by the specification we need to adhere to.

I can knock up a demo project(s) to emulate what we are doing if you wish.

Shaun

 

[Steven Cheng[MSFT]]

Thanks for your response Shaun,

I'll have a look at your attached code and do some tests. And I'll update
you as soon as I got any further progress. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hi Shaun,

After some tests, It seems that the code you provided works correctly on my
side. I've tested on two machines. One is XP PRO with iis5 .net 1.1 and
another win2k3 server with iis6 .NET 1.1. ( the webservice's virtual dir
is set allow anonymous)

In both tests I put the client and server on the same machine(local test).
The HTTP header is sent correctly so I'm wondering the problem is due to
any enviormential issue? You may have a check, if there is any new
findings, please feel free to post here . Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Shaun Wilde]

Hi Steven

The problem is possibly then with windows 2000 and iis5 perhaps. I have
always stressed this point.

I have seen this issue so far with 4 windows 2000 machines. 2 developer
boxes, 1 test environment and my home test machine.

I used anonymous on all sites/folders.

I hope you will be able to replicate the environment.

Shaun

 

[Steven Cheng[MSFT]]

Hi Shaun,

Thanks for your response. Yes, I've just tested on a w2k server(iis5) with
framework1.1 ,but the behavior is the same as I tested on other enviorment,
the Authorization header is sent correctly.
Have you tried changing to use another custom Header Name such as

webReq.Headers.Add("myheaderitem", "myheadervalue")

to see whether it can be sent correctly?

In addition, I'm a bit confused that why you need to manually set the HTTP
authorization header? When we add the following code

Dim cache As New System.Net.CredentialCache
Dim cred As New System.Net.NetworkCredential("IWTeamMember1",
"Password01!", "sha-dng-chn")
cache.Add(New
Uri(System.Configuration.ConfigurationSettings.AppSettings("Uri")),
"Basic", cred)
ws.Credentials = cache

the webrequest will automatically add the HTTP authorization header for us.
That means, even we don't override the GetWebRequest and manually add the
header, the webrequest will generate the header for use according to the
NewworkCrediential we add in the CredentialCache. I've tested this to
confirm this behavior. Have you also tried this?

Just turn on the IIS's BASIC authentication and run the following code at
client

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click

Try
Dim service As New AuthTestService.AuthTestService

Dim cache As New System.Net.CredentialCache
Dim cred As New System.Net.NetworkCredential("username",
"password!", "servername")
cache.Add(New
Uri(System.Configuration.ConfigurationSettings.AppSettings("Uri")),
"Basic", cred)
service.Credentials = cache

MessageBox.Show(service.HelloWorld())


Catch ex As Exception

MessageBox.Show(ex.ToString())
End Try

this can return "HelloWorld" correctly.

Please have a check and let me know if there is anything unclear. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



End Sub

 

[Shaun Wilde]

Hi Steven

I did say the issue was with windows 2000, I never tried with XP Pro. but so
far 4 windows 2000 boxes all exhibit the same problem.
All have anonymous set, I am using preauthentication so the credentials
should always be snet - and they do appear to do so.

I hope you may be able to replicate, however one has to ask why does windows
2000 strip the header.

Could it be a filter? Can't imagine why though.

Shaun

 

[Shaun Wilde]

Hi Steven

I'll give it a try

I've come across the following

http://groups.google.co.uk/groups?q...t.*&selm=u4pdtNCqCHA.2360@TK2MSFTNGP09&rnum=1

and it seems to descibe the same symptoms. It also seems to be that it (the
Authorization header) will come through if we enable basic authentication.

Okay but whey the difference between 2000 and 2003.

Actually the problem occurs only if the server is 2000, the client is not a
factor.

Basic Authentication isn't turned on via IIS and there should be no need to
do so as I wish to use a HttpHandler to look after the credentials and send
back an Authorization error (403?) - this is because the application could
be hosted on a site where access to the IIS is minimal (3rd party hosting
environment).

Also I wish to authenticate against my own control list (database or
web.config) and not that controlled by a 3rd party.

Shaun

 

[Shaun Wilde]

Hi Steven

Sorry this skipped being read as my newsreader settings didn't read all
headers (fixed now)

I manually set it because the preauthentication flag doesn't work for
webservice - this is a known bug.

I also do not want to turn on basic authentication to make it work as I need
to handle the basic authentication using my own httphandler to check the
credentials.

(I also do not have the correct permission on the domain involved to add my
own users and thus I cannot use IIS basic authentication - unless you know
of another way of supplying username/password combinations)

Try turning off the basic authentication and looking for the authorization
field within the application (ps you will need to use my code to get
preauthentication to work) - see my original example.

Shaun

 

[Steven Cheng[MSFT]]

Hi Shaun,

Thanks for your followup. En, yes, I did tried both BAsic Authentication
turn ON and OFF when testing on my local w2k box. That's why I think the
problem is due to a enviroment specific issue.
Also, if you can leave your service as anonymous turn on in IIS, I think
you can try use a custom httpheader to carry the username/password info ,
does this work? Anyway, please feel free to post here if you got any
further findings.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Shaun Wilde]

Hi Steven

I have 4 different boxes it happens to. 2 developer boxes, 1 deployment box
and my own home machine. And it doesn't work on either and yet you say it
works on your machines then there is a bug somewhere (maybe a patch). Also
other posters in the past have noted the same issue (Google groups).
If it is patch related there is no way to determine and or fix it so I can't
rely on it working elsewhere. I think I am going to have to insist that
they use IIS basic Authentication in win2k machine.

Unfortunately I can't use a custom HTTP header as other (3rd party) clients
(java based) need to connect and the standard I am following requires that
we
use the Authorization header and preauthentication.

Shaun

 

[Steven Cheng[MSFT]]

Thanks for your reply Shaun,

Currently I haven't any definite ideas on this. But I'll hold on and wait
for the testing result (by the isapi I attached in the former message) from
you. That'll help us dig some further. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Steven Cheng[MSFT]]

Hi Shuan,

Any further progress on this issue? If there're any updating or new
findings , please feel free to post here.
Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Shaun Wilde]

Hi

Nothing new as yet - got too much other things on that I haven't had time to
spend on this.

Its odd that on all windows sever 2000 machines I have test on with the
application runing on exhibits the problem and not platforms. As I said
since there does not seem a way to predict it then I'll have to assume worst
case scenario and treat all windows server 2000 machines as having the same
problem.

Shaun

 

[Steven Cheng[MSFT]]

Ok Shaun, if you have time to do some further investigate and got any
findings on this, please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)