|
Home > Archive > IIS Server Security > November 2005 > Desperate - Bypass Basic Authentication Prompt?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Desperate - Bypass Basic Authentication Prompt?
|
|
| Kenneth Koh 2005-11-08, 6:28 pm |
| Hi all
Is it achievable to use an application login to bypass the Basic
authentication prompt? Via ISAPI?
Thanks in advance!
Regards,
Kenneth
| |
| Miha Pihler [MVP] 2005-11-08, 6:28 pm |
| Sure. But in this case you set IIS up with Anonymous access to your sites.
On default page you set up options for logging in where users can e.g. get
appropriate cookie. All other sites on your server can then check if users
accessing the site are authenticated (e.g. if they have cookie).
In Internet Information Services (IIS) 6.0 Resource Kit Tools there is a
sample of similar authentication. Download IIS RK and take a look at
CustomAuth...
--
Mike
Microsoft MVP - Windows Security
"Kenneth Koh" <plshelpmepls@hotmail.com> wrote in message
news:1131169446.199405.281930@z14g2000cwz.googlegroups.com...
> Hi all
>
> Is it achievable to use an application login to bypass the Basic
> authentication prompt? Via ISAPI?
>
> Thanks in advance!
>
> Regards,
> Kenneth
>
| |
| Kenneth Koh 2005-11-08, 6:28 pm |
| Hi Mike
Thanks for the reply.
The problem we are facing now is that this website uses MS CRM 1.2.
The product requires either Basic or Windows Integrated and cannot be
set to Anonymous.
If we use the CustomAuth ISAPI and do our own login, will it still be
considered as Basic or integrated?
Thanks!
Kenneth
| |
| David Wang [Msft] 2005-11-08, 6:28 pm |
| If you don't want the Basic authentication prompt to pop up, then do not
enable the authentication protocol in IIS. This prevents IIS from returning
the 401 response (which is obligatory if you enable authentication and
client is *not* yet authenticated via any of the public standard protocols)
which causes the client to pop up the login prompt.
If you want to perform custom authentication protocol, then you either need
to purchase a proprietary solution or write your own.
CustomAuth sample in the IIS Platform SDK shows how to use an HTML form to
post encrypted username/password to IIS which uses that username/password to
perform an NT login (in other words, it's just like Basic authentication
except with an HTML form instead of plain login dialog box). If you want to
use non-Windows username/password, you need to modify the source code to do
the username/password lookup.
I have some sample code snippets showing how to do all this, assuming you
know how to download the Platform SDK and compile source code. Everything is
freely available.
http://blogs.msdn.com/david.wang/ar...m_INI_file.aspx
You probably want to wonder around my blog to read up on the general subject
of customizing authentication on IIS.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Kenneth Koh" <plshelpmepls@hotmail.com> wrote in message
news:1131169446.199405.281930@z14g2000cwz.googlegroups.com...
Hi all
Is it achievable to use an application login to bypass the Basic
authentication prompt? Via ISAPI?
Thanks in advance!
Regards,
Kenneth
| |
| Kenneth Koh 2005-11-08, 6:28 pm |
| Thanks Both!
May the force be with you. 
Regards,
Kenneth
| |
| David Wang [Msft] 2005-11-08, 6:28 pm |
| If you use CustomAuth ISAPI, it will be considered Anonymous by applications
that use the AUTH_TYPE server variable to determine authentication type,
even though it will configure the user token just like Basic or Integrated.
It is basically a one line change in CustomAuth ISAPI to make it "fake"
AUTH_TYPE server variable to be whatever you want (such as "Basic" or
"NTLM"), and it should be unnoticible to other software running on IIS.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Kenneth Koh" <plshelpmepls@hotmail.com> wrote in message
news:1131179065.000996.212120@o13g2000cwo.googlegroups.com...
Hi Mike
Thanks for the reply.
The problem we are facing now is that this website uses MS CRM 1.2.
The product requires either Basic or Windows Integrated and cannot be
set to Anonymous.
If we use the CustomAuth ISAPI and do our own login, will it still be
considered as Basic or integrated?
Thanks!
Kenneth
| |
| Kenneth Koh 2005-11-08, 6:28 pm |
| Hi David
I've finallly managed to get the source codes from the platform SDK CD
but there's 111 errors when compiling the samples (without changing
codes, except to change the locations of all the header files).
I've hit errors like
syntax error : identifier 'HSE_EXEC_URL_USER_INFO'
Is there another location where i can find a working sample?
Thanks!
| |
| David Wang [Msft] 2005-11-08, 6:28 pm |
| It sounds like you do not have a correct build environment set up.
The sample code works - I've installed the same code from the Platform SDK,
and it compiled just fine for me. No code changes necessary. I used Visual
Studio C++ 6 to open up the project (after fixing some pathnames in the
project file), added the include/lib paths from the SDK to the front
(remember, I want to compile against the updated httpext.h from the SDK, not
the old one from VC++), and it built just fine.
At this point, you need to make some custom code changes to hack into the
needs of your specific scenario, so you must figure out how to compile
correctly.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Kenneth Koh" <plshelpmepls@hotmail.com> wrote in message
news:1131375035.608074.71630@f14g2000cwb.googlegroups.com...
Hi David
I've finallly managed to get the source codes from the platform SDK CD
but there's 111 errors when compiling the samples (without changing
codes, except to change the locations of all the header files).
I've hit errors like
syntax error : identifier 'HSE_EXEC_URL_USER_INFO'
Is there another location where i can find a working sample?
Thanks!
| |
| Kenneth Koh 2005-11-08, 6:28 pm |
| Hi David
You are right.
I've replaced the files in VC with those in SDK.
Works like magic.
The rest is up to me now.
Thanks very much!
Regards,
Kenneth
| |
| Kenneth Koh 2005-11-08, 6:28 pm |
| Hi David
Almost done for me.
I just don't seemed to be able to configure the value of AUTH_TYPE to Basic.
Can you copy a snippet of the code that does that?
Thanks!
Hope this' the last time i bother u guys.
Regards,
Kenneth
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:O3WDLFr4FHA.1476@TK2MSFTNGP10.phx.gbl...
> If you use CustomAuth ISAPI, it will be considered Anonymous by
> applications
> that use the AUTH_TYPE server variable to determine authentication type,
> even though it will configure the user token just like Basic or
> Integrated.
>
> It is basically a one line change in CustomAuth ISAPI to make it "fake"
> AUTH_TYPE server variable to be whatever you want (such as "Basic" or
> "NTLM"), and it should be unnoticible to other software running on IIS.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Kenneth Koh" <plshelpmepls@hotmail.com> wrote in message
> news:1131179065.000996.212120@o13g2000cwo.googlegroups.com...
> Hi Mike
>
> Thanks for the reply.
>
> The problem we are facing now is that this website uses MS CRM 1.2.
> The product requires either Basic or Windows Integrated and cannot be
> set to Anonymous.
>
> If we use the CustomAuth ISAPI and do our own login, will it still be
> considered as Basic or integrated?
>
> Thanks!
>
> Kenneth
>
>
| |
| David Wang [Msft] 2005-11-09, 7:49 am |
| I think it builds character for you to figure out the one line change to do
this... since you own this code for your solution, after all.
You want to:
1. Look up documentation on MSDN for HSE_EXEC_URL_USER_INFO and
HSE_REQ_EXEC_URL
2. Set HSE_EXEC_URL_USER_INFO->pszCustomAuthType to "Basic"
3. Set HSE_EXEC_URL_INFO->pUserInfo to this HSE_EXEC_URL_USER_INFO structure
on the HSE_REQ_EXEC_URL call.
The change is exactly one line for CustomAuth.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Kenneth Koh" <PlsHelpMePls@hotmail.com> wrote in message
news:%23A94N8I5FHA.3876@TK2MSFTNGP09.phx.gbl...
Hi David
Almost done for me.
I just don't seemed to be able to configure the value of AUTH_TYPE to Basic.
Can you copy a snippet of the code that does that?
Thanks!
Hope this' the last time i bother u guys.
Regards,
Kenneth
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:O3WDLFr4FHA.1476@TK2MSFTNGP10.phx.gbl...
> If you use CustomAuth ISAPI, it will be considered Anonymous by
> applications
> that use the AUTH_TYPE server variable to determine authentication type,
> even though it will configure the user token just like Basic or
> Integrated.
>
> It is basically a one line change in CustomAuth ISAPI to make it "fake"
> AUTH_TYPE server variable to be whatever you want (such as "Basic" or
> "NTLM"), and it should be unnoticible to other software running on IIS.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Kenneth Koh" <plshelpmepls@hotmail.com> wrote in message
> news:1131179065.000996.212120@o13g2000cwo.googlegroups.com...
> Hi Mike
>
> Thanks for the reply.
>
> The problem we are facing now is that this website uses MS CRM 1.2.
> The product requires either Basic or Windows Integrated and cannot be
> set to Anonymous.
>
> If we use the CustomAuth ISAPI and do our own login, will it still be
> considered as Basic or integrated?
>
> Thanks!
>
> Kenneth
>
>
| |
| Kenneth Koh 2005-11-09, 7:49 am |
| Hi David
Really appreciate that and i do apologise sincerely for not finding out
enough.
Have a great day ahead!
Regards
Kenneth
|
|
|
|
|