Authorize HTTPHeader

[Bill Belliveau]

Hi all, I’m trying to read a values out of the ‘authorization’ host header. I can get the values easily enough, but the ‘authorization’ header is somewhat allusive.

For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal – future auth not required/port secure]

The site does not allow anonymous connections so I assume the first two steps happen at an IIS level with ASP.NET having no knowledge. It seems that it should be possible to determine the successful second request with credentials. Unfortunately I am only seeing spotty results on the connection.

If I run in debug [(A) –> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate with the exact same machine settings.
If I deploy the project to an intermediary server [A –> (B) –> Server] sometimes B sees the authorization requests, sometimes not.

I am passing good credentials and reciving validation because even when I'm not seeing the Authorization header (writing to the event log), the site is still allowing access - the vdir is restricted to Integrated Windows Authentication.

[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.Get Values(header))
{
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue);
if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");}
try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");}
try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.C onvert.FromBase64String(tail));
}
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I’m looking to determine if the client browser’s authorization scheme is NTLMSSP, I just can’t reliably get this information.

Thanks for any ideas,
Bill

[bruce barker]

if you use ntml, then it goes like theis

client -> server [request]
client <- server [401 ntml] -- list valid auth protocols

client ->server [ntlm challenge] connection left open
client <- server [ntlm response] connection left open

client->server [request] (no auth header required - as the authencation was
already done)
client<-server [response 200]


as ntml requires keepalive (http 1.1), the auth header is not sent on every
request.

-- bruce (sqlwork.com)


"Bill Belliveau" <anonymous@discussions.microsoft.com> wrote in message
news:1B31CBC5-A994-45A6-8416-0797A94CE6CC@microsoft.com...

> Hi all, I'm trying to read a values out of the 'authorization' host

header. I can get the values easily enough, but the 'authorization' header
is somewhat allusive.

>
> For connections requiring authorization the process appears to flow:
> Client -> Server [request]
> Client <- Server [401]
> Client -> Server [request +auth]
> (success)
> Client <-> Server [request/response normal - future auth not required/port

secure]

>
> The site does not allow anonymous connections so I assume the first two

steps happen at an IIS level with ASP.NET having no knowledge. It seems
that it should be possible to determine the successful second request with
credentials. Unfortunately I am only seeing spotty results on the
connection.

>
> If I run in debug [(A) -> Server] I (A) can see authorization requests.
> Sometimes the Authorization comes up as NTLM and other times as Negotiate

with the exact same machine settings.

> If I deploy the project to an intermediary server [A -> (B) -> Server]

sometimes B sees the authorization requests, sometimes not.

>
> I am passing good credentials and reciving validation because even when

I'm not seeing the Authorization header (writing to the event log), the site
is still allowing access - the vdir is restricted to Integrated Windows
Authentication.

>
> [code snippet in Global.asax session_start]
>
> string strMessage = "No message";
> foreach(string header in System.Web.HttpContext.Current.Request.Headers)
> {
> foreach(string headerValue in

System.Web.HttpContext.Current.Request.Headers.Get Values(header))

> {
> strMessage = String.Format("Header Name: {0}\nHeader Value: {1}",

header ,headerValue);

> if(header == "Authorization")
> {
> string s = "";
> string head = "";
> string tail = "";
> try{head = headerValue.Split(' ')[0];}
> catch(Exception ex){System.Diagnostics.Debug.WriteLine("head

failed");}

> try{tail = headerValue.Split(' ')[1];}
> catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail

failed");}

> try
> {
> s =

System.Text.ASCIIEncoding.ASCII.GetString(System.C onvert.FromBase64String(ta
il));

> }
> catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
> finally
> {
> strMessage += "\nAuthHttpHeader Decoded: " + s;
> }
> }
> System.Diagnostics.Debug.WriteLine(strMessage);
> }
> }
>
> [snippet end]
>
> Overall I'm looking to determine if the client browser's authorization

scheme is NTLMSSP, I just can't reliably get this information.

>
> Thanks for any ideas,
> Bill
>

[Bill Belliveau]

Thanks for the information Bruce

Progress
By taking the code out of Session_Start and moving it to Application_AuthenticateRequest I am able to see the authorization header every time. Session_Start would return authorization however it seemed rather sporadic

We are building an interoffice application that will utilize Windows Authentication. By reading the authorization host header we should be able to determine if ‘Integrated Windows Authentication’ (IWA) is available. I’ve been told in IE 5.5 it’s always enabled and in IE 6 it appears as a checkbox; (Tools ->Internet Options -> Advanced -> Security -> Enable Integrated Windows Authentication

The code snippet should determine if this box is checked in IE 6. I’ve understand after decoding the authorization header, the first seven characters should be NTLMSSP when IWA is enabled. Test cases are a bit confusing however
Our product reads the Active Directory, so the test cases are

A = Local machine hosting sit
B = Remote machine hosting sit
C = Active Director
Local [A -> C
Remote [A -> B - >C

Location / IWA checkbox (IE6) / Auth Type / Auth decode

Local / enabled / negotiate / NTLMSSP (success
Local / disabled / NTML / NTLMSSP (success
Remote / enabled / negotiate / != NTLMSSP (success
Remote / disabled / NTLM / NTLMSSP (failure

This information isn’t very useful or I’m doing something wrong

Using Application_AuthenticateRequest brings up a second issue, it appears that the Application_AuthenticateRequest executes before Session_Start, consequently there isn’t a session. Without a session I don’t know who to give the error to at a later time

Any and all feedback is appreciated
Bill