|
Home > Archive > IIS Server Security > January 2007 > Custom 401, basic authentication, ISAPI problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Custom 401, basic authentication, ISAPI problem
|
|
| javawzl 2007-01-25, 1:31 am |
| We have a custom ISAPI for authentication and authorization running on 2003
server. Basic Authentication is setup. A custom 401 has been setup on the
site. When we attempt to access the site we are prompted for
username/password. If we choose to CANCEL at this point the 401 is shown up
to 2,048 characters worth ... a 403 Forbidden is then generated and appended
to the markup that has already been written to the response. If we remove the
ISAPI and simply try the same thing with Basic Authentication, the 401 is
shown correctly. We have reproduced this on two 2003 servers, and have it
successfully running on another. We are trying to move our site from 2000
Standard Server.
It is clear the ISAPI is conflicting with the error handling. Is there a
known limit on the number of characters on a 401 on Server 2003?
| |
| David Wang 2007-01-26, 7:23 pm |
| Since ISAPI DLLs can alter the behavior of IIS, whenever one observes
strange behavior and a custom ISAPI is involved with the request, I
always suspect the ISAPI first -- because experience tells me that
99.9% of the time, it is an issue within the ISAPI. The
behaviors/limits that you speculate do not exist with IIS6 on Windows
Server 2003...
I recommend obtaining support for this ISAPI DLL from its developer.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Jan 24, 8:41 pm, javawzl <java...@discussions.microsoft.com> wrote:
> We have a custom ISAPI for authentication and authorization running on 2003
> server. Basic Authentication is setup. A custom 401 has been setup on the
> site. When we attempt to access the site we are prompted for
> username/password. If we choose to CANCEL at this point the 401 is shown up
> to 2,048 characters worth ... a 403 Forbidden is then generated and appended
> to the markup that has already been written to the response. If we remove the
> ISAPI and simply try the same thing with Basic Authentication, the 401 is
> shown correctly. We have reproduced this on two 2003 servers, and have it
> successfully running on another. We are trying to move our site from 2000
> Standard Server.
>
> It is clear the ISAPI is conflicting with the error handling. Is there a
> known limit on the number of characters on a 401 on Server 2003?
|
|
|
|
|