Authorize HTTPHeader

G

Guest

Hi all, I’m trying to read a values out of the ‘authorization’ host header. I can get the values easily enough, but the ‘authorization’ header is somewhat allusive.

For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal – future auth not required/port secure]

The site does not allow anonymous connections so I assume the first two steps happen at an IIS level with ASP.NET having no knowledge. It seems that it should be possible to determine the successful second request with credentials. Unfortunately I am only seeing spotty results on the connection.

If I run in debug [(A) –> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate with the exact same machine settings.
If I deploy the project to an intermediary server [A –> (B) –> Server] sometimes B sees the authorization requests, sometimes not.

I am passing good credentials and reciving validation because even when I'm not seeing the Authorization header (writing to the event log), the site is still allowing access - the vdir is restricted to Integrated Windows Authentication.

[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.GetValues(header))
{
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue);
if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");}
try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");}
try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.Convert.FromBase64String(tail));
}
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I’m looking to determine if the client browser’s authorization scheme is NTLMSSP, I just can’t reliably get this information.

Thanks for any ideas,
Bill
 
B

bruce barker

if you use ntml, then it goes like theis

client -> server [request]
client <- server [401 ntml] -- list valid auth protocols

client ->server [ntlm challenge] connection left open
client <- server [ntlm response] connection left open

client->server [request] (no auth header required - as the authencation was
already done)
client<-server [response 200]


as ntml requires keepalive (http 1.1), the auth header is not sent on every
request.

-- bruce (sqlwork.com)


Bill Belliveau said:
Hi all, I'm trying to read a values out of the 'authorization' host
Click to expand...
header. I can get the values easily enough, but the 'authorization' header
is somewhat allusive.
For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal - future auth not required/port secure]

The site does not allow anonymous connections so I assume the first two
Click to expand...
steps happen at an IIS level with ASP.NET having no knowledge. It seems
that it should be possible to determine the successful second request with
credentials. Unfortunately I am only seeing spotty results on the
connection.
If I run in debug [(A) -> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate
Click to expand...
with the exact same machine settings.
If I deploy the project to an intermediary server [A -> (B) -> Server]
Click to expand...
sometimes B sees the authorization requests, sometimes not.
I am passing good credentials and reciving validation because even when
Click to expand...
I'm not seeing the Authorization header (writing to the event log), the site
is still allowing access - the vdir is restricted to Integrated Windows
Authentication.
[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.GetValues(header))
{
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue);
if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");}
try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");}
try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.Convert.FromBase64String(ta
il));
}
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I'm looking to determine if the client browser's authorization
Click to expand...
scheme is NTLMSSP, I just can't reliably get this information.
 
G

Guest

Thanks for the information Bruce

Progress
By taking the code out of Session_Start and moving it to Application_AuthenticateRequest I am able to see the authorization header every time. Session_Start would return authorization however it seemed rather sporadic

We are building an interoffice application that will utilize Windows Authentication. By reading the authorization host header we should be able to determine if ‘Integrated Windows Authentication’ (IWA) is available. I’ve been told in IE 5.5 it’s always enabled and in IE 6 it appears as a checkbox; (Tools ->Internet Options -> Advanced -> Security -> Enable Integrated Windows Authentication

The code snippet should determine if this box is checked in IE 6. I’ve understand after decoding the authorization header, the first seven characters should be NTLMSSP when IWA is enabled. Test cases are a bit confusing however
Our product reads the Active Directory, so the test cases are

A = Local machine hosting sit
B = Remote machine hosting sit
C = Active Director
Local [A -> C
Remote [A -> B - >C

Location / IWA checkbox (IE6) / Auth Type / Auth decode

Local / enabled / negotiate / NTLMSSP (success
Local / disabled / NTML / NTLMSSP (success
Remote / enabled / negotiate / != NTLMSSP (success
Remote / disabled / NTLM / NTLMSSP (failure

This information isn’t very useful or I’m doing something wrong

Using Application_AuthenticateRequest brings up a second issue, it appears that the Application_AuthenticateRequest executes before Session_Start, consequently there isn’t a session. Without a session I don’t know who to give the error to at a later time

Any and all feedback is appreciated
Bill
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Authorize HTTPHeader 2
httplib with NETRC authentication 4
urllib2: correct way how to add a header to the *initial* request? 0
urllib2: correct way how to add a header to the *initial* request? 0
How to use JSESSIONID on follow-on request without basic auth? 6
interrupt the file sending if the file size over the quota...someerrors here... 1
net-http-digest_auth example using more than one request in a row 0
Upload/DownLoad from Excel 1

Members online

No members online now.
Total: 26 (members: 0, guests: 26)
Robots: 174

Forum statistics

Threads
473,755
Messages
2,569,534
Members
45,008
Latest member
Rahul737

Latest Threads

Top