Did not someone make a patch for this early after the feature was in IE 4?
Dw
On Mon, 17 Sep 2001, Martin Kraemer wrote:
> I just noticed a feature of IIS 5.0 which is (if I am correct)
> impossible to do with Apache (1.3/2.0), albeit very useful. It
> is the the possibility to use multiple authentication schemes
> in parallel, with the client selecting the most appropriate
> version.
>
> Without much explanation, here's a response header of IIS5 for a
> request requiring authentication:
>
> HTTP/1.1 401 Unauthorized
> Server: Microsoft-IIS/5.0
> Date: Mon, 17 Sep 2001 14:01:05 GMT
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
> WWW-Authenticate: Basic realm="my.fsc.net"
> Set-Cookie: RQFW={CC8D82ED-2EC6-446D-8013-68DA01CFE353}; path=/;
> Cache-Control: private
> Content-Type: text/html; charset=utf-8
> Content-Length: 1509
>
> For Apache, the alternatives "Basic" and "Digest" would be more appropriate,
> of course. But AFAICS Apache does not allow for accepting multiple
> schemes alternatively.
>
> In RFC2617, I find a reference of multiple WWW-Authenticate headers:
>
> > 4.6 Weakness Created by Multiple Authentication Schemes
> >
> > An HTTP/1.1 server may return multiple challenges with a 401 (Authenticate)
>response, and each challenge may use a different auth-scheme. A user agent MUST
>choose to use the
> > strongest auth- scheme it understands and request credentials from the user
>based upon that challenge.
> >
> > Note that many browsers will only recognize Basic and will require that it be
>the first auth-scheme presented. Servers should only include Basic if it is minimally
>acceptable.
> >
> > When the server offers choices of authentication schemes using the
>WWW-Authenticate header, the strength of the resulting authentication is only as good
>as that of the of the
> > weakest of the authentication schemes. See section 4.8 below for discussion
>of particular attack scenarios that exploit multiple authentication schemes.
>
> Now my question is:
>
> * is this feature standardized? (The first "WWW-Authenticate: Negotiate"
> looks fishy to me)
>
> * how could Apache be configured to support multiple auth schemes for
> a given resource in parallel? Currently, "AuthType Digest" allows
> only one argument, and using it multiple times just replaces the
> current setting.
>
> Martin
>
