IIS Server Security - Re: Unable to authenticate via kerberos to IIS site accepting clie

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > February 2007 > Re: Unable to authenticate via kerberos to IIS site accepting clie





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: Unable to authenticate via kerberos to IIS site accepting clie
David Wang

2007-02-02, 1:30 am

Hmm... you may be seeing a known problem with IIS5 and
ClientCertificate on large requests. And Kerberos tickets can make
request large.

This is technically a flaw within the SSL specification, and you can
work around it by increasing the size of UploadReadAheadSize to
something larger than the 49152 default (i.e. 102400). You don't want
it too large since that would constitute a DOS security vulnerability.

I know this issue is handled in IIS6, but I do not think it was fixed
in IIS5 - Windows 2000 was already at end of life and no customer
request = no porting. Changing UploadReadAheadSize *may* help on IIS5.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Jan 31, 11:46 pm, jacorona <jacor...@discussions.microsoft.com>
wrote:
> Thank you for answering, David.
>
> The setup to test this strange behaviour, is the following:
> - Desktop WinForm client application on W2K and .Net 2.0, accessing directly
> to an IIS 5.0 site using an "https:" address. Proxy built adding a reference
> to the web service.
> -[IIS site in local machine] (in principle, this shouldn't matter)
> - IIS site configured:
> - To accept "Integrated Windows authentication", and
> - Without "requiring" SSL, it accepts client certificates
> -[IIS site hosting a simple web service developed on .Net 2.0] (in
> principle, this shouldn't matter, either)
>
> Behaviour:
> - When desktop application is configured to present a client certificate it
> works fine. Web service is accesed and the identity it sees comes from the
> mapping defined in IIS for that certificate.
> (service.ClientCertificates.Add(cert);)
> - When desktop application is configured to present kerberos ticket
> (integrated security), it times out. (service.Credentials =
> CredentialCache.DefaultCredentials;)
>
> Notes:
> - When desktop application acceses the web service via "http:" and
> integrated security, it also works fine.
>
> Hope this explanation helps. I have been unable read anything that makes me
> think this scenario (an IIS site configured to accept both types of
> credentials under https does not work. Perhaps I should do something else
> in the client code, but I have also been unable to find anything regarding
> that.
>
> Many thanks again.
>
> JACorona
>
>
>
> "David Wang" wrote:
>
>
>
>
>
>
>
>
>
> - Show quoted text -


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com