I believe that you can set up the IIS to perform a "Windows NT
Challenge/Response" for authentication. When this is made to IE, the
browser and IIS start to talk a different authentication scheme.
You can turn this off in the IIS setup.
Tim Gallagher
-----Original Message-----
From: Lame, John [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 09, 1999 9:59 PM
To: [EMAIL PROTECTED]
Subject: Authentication and IIS
I've run into what I consider to be a bizzarre problem in that it
only shows up when I'm using Internet Explorer to access
a servlet running under IIS (using JRun but I don't believe that
that is relevant). If I switch to either a different Browser, or
a different Server, the problem goes away. Only the two
working together causes difficulty.
We have a Servlet which checks for Authorization using
String login = req.getHeader("Authorization");
and, if login is null or invalid, sends back
res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
res.setHeader("WWW-Authenticate", "BASIC realm=\"" + realmCode()
+
"\"");
This works great using JRun under Nescape Enterprise Server
with any Browser and works just fine using JRun under IIS as
long as the Browser isn't Internet Explorer. However, the
combination of IIS together with Intenet Explorer leads to disaster.
After tearing my hair out for several hours, I finally discovered the
following problem. When the servlet sends an SC_UNAUTHORIZED
through IIS and back to the browser, the actual header received by
the browser is this. (Extra quotes around Keys and Values are mine.)
"Server"="Microsoft-IIS/4.0"
"Date"="Wed, 10 Mar 1999 00:07:08 GMT"
"Connection"="keep-alive"
"WWW-Authenticate"="NTLM"
"Content-Type"="text/html"
"Content-Length"="265"
"WWW-Authenticate"="BASIC realm="xtLqRyz293""
"Connection"="Keep-alive"
Apparently IIS is prepending an additional request for authorization
to the header (thanks a lot bill!). Now if the browser is anything
other than Internet Explorer, this is not a problem since the "NTLM"
(NT Lan Manager) Authorization Type is apparently ignored and a
nice Base64 encoded "username:password" string is sent back.
However, if the Browser is Internet Explorer, then it sends back
something completely different. I have no idea how to decode the
result (is that information available somewhere?) and I don't really
want to, since, what I'd really like to do is prevent IIS from
prepending
its own WWW-Authenticate line in the first place. Is there any way
to do this or am I going to be forced to abandon HTTP authentication
entirely?
Thoughts?
John
________________________________________________________________________
___
To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
