IIS Server Security - IIS Security, unknown cause of 401.5 and 403.5 errors

Author

IIS Security, unknown cause of 401.5 and 403.5 errors

Ryan Taylor

2005-12-14, 5:57 pm

Hello.

My coworkers and I have been tracking down some very particular security
issues with IIS 5.1 on Windows XP (SP2). I have an ASP.NET (.NET 1.1)
application that requires Integrated Windows Authentication which loads up
various images (jpeg, gif) (preloading with JavaScript), various JavaScript
files (.js), and a flash .swf file. There is no requirement for SSL. The
only reason we need Integrated Windows Authentication is because we need the
client's network logon name and they do not want to be prompted for it.

Unfortunately the page consistently fails to load in the browser (IE6)
properly. Many of the .gif and .jpeg and .js files we are receiving 401.5
and 403.5 errors. We have tried to find some correlation between which files
have which errors but it seems quite random. Sometimes any given file will
receive a 401.5 error while other times it will receive a 403.5 error.
Sometimes the file will receive both errors. This posses quite a problem,
especially with the .js files which are required for much of our
functionality.

The site is setup with Integrated Windows Authentication. Anonymous
Authentication, Digest and Basic are unchecked. The 403.5 errors are
especially confusing (not to downplay the 401.5 errors) but I do not have
SSL enabled nor have I ever and I do not have a certificate installed on my
machine.

I have installed the ASP.NET application on a Windows Server 2003 SP1
machine with IIS 6.0 and I do not receive any of these errors. However, we
have 3 developers working on this one application and we need to be able to
run local instances of this on our development machines for debugging
purposes. This is also occurring on another coworkers machine (Windows XP
(SP2)) as well.

All the resources (.gif, .jpeg, .js) that succeed (code - 200) in loading
have a username (DOMAIN\USER). All the ones that fail do not.

Does anyone have any ideas (and preferably solutions) as to why this problem
is occurring?

Ratatooie

2005-12-14, 5:57 pm

You are aware that IIS 5.1 has a limit of 10 concurrent connections via HTTP
and that can easily be used up by one person doing one page view?

Drop the same system on IIS on a server and I your problems go away... as
you found out that pretty much pegs the problem.

5.1 is really meant for one person to do limited tests while developing.
It's not a hosting environment. The only solution, don't host on Windows
XP, use Server.

"Ryan Taylor" <rtaylor@stgeorgeconsulting.com> wrote in message
news:uXmN6pPAGHA.2708@TK2MSFTNGP12.phx.gbl...
> Hello.
>
> My coworkers and I have been tracking down some very particular security
> issues with IIS 5.1 on Windows XP (SP2). I have an ASP.NET (.NET 1.1)
> application that requires Integrated Windows Authentication which loads up
> various images (jpeg, gif) (preloading with JavaScript), various
> JavaScript files (.js), and a flash .swf file. There is no requirement for
> SSL. The only reason we need Integrated Windows Authentication is because
> we need the client's network logon name and they do not want to be
> prompted for it.
>
> Unfortunately the page consistently fails to load in the browser (IE6)
> properly. Many of the .gif and .jpeg and .js files we are receiving 401.5
> and 403.5 errors. We have tried to find some correlation between which
> files have which errors but it seems quite random. Sometimes any given
> file will receive a 401.5 error while other times it will receive a 403.5
> error. Sometimes the file will receive both errors. This posses quite a
> problem, especially with the .js files which are required for much of our
> functionality.
>
> The site is setup with Integrated Windows Authentication. Anonymous
> Authentication, Digest and Basic are unchecked. The 403.5 errors are
> especially confusing (not to downplay the 401.5 errors) but I do not have
> SSL enabled nor have I ever and I do not have a certificate installed on
> my machine.
>
> I have installed the ASP.NET application on a Windows Server 2003 SP1
> machine with IIS 6.0 and I do not receive any of these errors. However, we
> have 3 developers working on this one application and we need to be able
> to run local instances of this on our development machines for debugging
> purposes. This is also occurring on another coworkers machine (Windows XP
> (SP2)) as well.
>
> All the resources (.gif, .jpeg, .js) that succeed (code - 200) in loading
> have a username (DOMAIN\USER). All the ones that fail do not.
>
> Does anyone have any ideas (and preferably solutions) as to why this
> problem is occurring?
>
>

Ryan Taylor

2005-12-14, 5:57 pm

I agree that hosting on Windows XP is not a solution. Our final development
environment is Windows Server 2003. But for developing our only solution
right now is Windows XP. We only have XP licenses for our development
machines. Is there any way to determine definitively if the problem is that
IIS 5.1 on Windows XP only allows 10 concurrent HTTP connections. It seems
odd that we would get SSL is required error messages.

"Ratatooie" <postmaster@idbdeveloper.com> wrote in message
news:43a095d7$1_1@newspeer2.tds.net...
> You are aware that IIS 5.1 has a limit of 10 concurrent connections via
> HTTP and that can easily be used up by one person doing one page view?
>
> Drop the same system on IIS on a server and I your problems go away... as
> you found out that pretty much pegs the problem.
>
> 5.1 is really meant for one person to do limited tests while developing.
> It's not a hosting environment. The only solution, don't host on Windows
> XP, use Server.
>
> "Ryan Taylor" <rtaylor@stgeorgeconsulting.com> wrote in message
> news:uXmN6pPAGHA.2708@TK2MSFTNGP12.phx.gbl...
>
>

Ratatooie

2005-12-15, 6:04 pm

http://groups.google.com/groups?sou...5.1&sa=N&tab=wg

http://www.google.com/search?source...5.1&sa=N&tab=gw

Some people even asserting it's 5 connections.

If you don't trust what logic tells you the problem is, then I can't really
help you.

"Ryan Taylor" <rtaylor@stgeorgeconsulting.com> wrote in message
news:uCJdl4PAGHA.3928@tk2msftngp13.phx.gbl...
>I agree that hosting on Windows XP is not a solution. Our final development
>environment is Windows Server 2003. But for developing our only solution
>right now is Windows XP. We only have XP licenses for our development
>machines. Is there any way to determine definitively if the problem is that
>IIS 5.1 on Windows XP only allows 10 concurrent HTTP connections. It seems
>odd that we would get SSL is required error messages.
>
> "Ratatooie" <postmaster@idbdeveloper.com> wrote in message
> news:43a095d7$1_1@newspeer2.tds.net...
>
>

Ryan Taylor

2005-12-15, 6:04 pm

I've bumped up my max connections to 40 and this seems to alleviated some of
the issues. Regarding your statement "if you don't trust what logic tells
you the problem is..." I was questionning why IIS would return a 403.5 error
instead of a 403.9 error. Logic would imply that if I received a 403.9 error
that the problem would be that there were too many connections. However, the
error I was receiving was indicating I required SSL or that Authorization
failed for an ISAPI/CGI application in the case of the 401.5 errors. Please
don't imply that my logic is flawed when the error messages I received are
misleading and possibly more accurately even incorrect.

Thank you for pointing out the max connections issue though I did not know
that this was a limitation of IIS 5.1

"Ratatooie" <postmaster@idbdeveloper.com> wrote in message
news:43a19633$1_2@newspeer2.tds.net...
> http://groups.google.com/groups?sou...5.1&sa=N&tab=wg
>
> http://www.google.com/search?source...5.1&sa=N&tab=gw
>
> Some people even asserting it's 5 connections.
>
> If you don't trust what logic tells you the problem is, then I can't
> really help you.
>
> "Ryan Taylor" <rtaylor@stgeorgeconsulting.com> wrote in message
> news:uCJdl4PAGHA.3928@tk2msftngp13.phx.gbl...
>
>