Jason Viers
2007-07-12 21:30:07 UTC
I have some WinHTTP code that fetches pages with NTLM authentication for
the current user, via WinHttpSetCredentials. When launched from the
console logged in as MY_DOMAIN/RandomUser, it works fine - sniffing the
traffic shows the NTLM handshake with the response to the challenege
specifying the domain "MY_DOMAIN" and user "RandomUser", and I get the
successes / failures that I expect.
-------------------------
I have an ISAPI Extension that is being used as a Wildcard Application
Map in IIS 6. Its virtual directory has anonymous access disabled, so
the users are authenticated before ISAPI's HttpExtensionProc is called.
If I open the address and authenticate to it as MY_DOMAIN\Randomuser,
then GetUserNameEx will show me as being "MY_DOMAIN\RandomUser" within
HttpExtensionProc. However, if I attempt to use the same "WinHttp &
NTLM" code mentioned above, the WinHTTP's NTLM handshake will not be
done as RandomUser, but anonymously. The "user" and "domain" in the
response to the challenge are NULL, and the "anonymous access" bit of
the flags is asserted. a packet dump if this can be supplied if desired.
If I try to fetch a page from ISAPI that is on the same machine as IIS,
it does proper NTLM negotiation -- or rather, that's what the results
indicate. I don't know what the handshake looks like, as it's all
localhost so I can't sniff it with Wireshark.
-----------------------------------
This happens regardless whether the application pool is set to run as
Network Service or Local System. Is there some permission that IIS is
lacking in order to perform this NTLM authentication?
Thanks
Jason
[1] using the call WinHttpSetCredentials( hRequest,
WINHTTP_AUTH_TARGET_SERVER, WINHTTP_AUTH_SCHEME_NTLM, NULL, NULL, NULL))
the current user, via WinHttpSetCredentials. When launched from the
console logged in as MY_DOMAIN/RandomUser, it works fine - sniffing the
traffic shows the NTLM handshake with the response to the challenege
specifying the domain "MY_DOMAIN" and user "RandomUser", and I get the
successes / failures that I expect.
-------------------------
I have an ISAPI Extension that is being used as a Wildcard Application
Map in IIS 6. Its virtual directory has anonymous access disabled, so
the users are authenticated before ISAPI's HttpExtensionProc is called.
If I open the address and authenticate to it as MY_DOMAIN\Randomuser,
then GetUserNameEx will show me as being "MY_DOMAIN\RandomUser" within
HttpExtensionProc. However, if I attempt to use the same "WinHttp &
NTLM" code mentioned above, the WinHTTP's NTLM handshake will not be
done as RandomUser, but anonymously. The "user" and "domain" in the
response to the challenge are NULL, and the "anonymous access" bit of
the flags is asserted. a packet dump if this can be supplied if desired.
If I try to fetch a page from ISAPI that is on the same machine as IIS,
it does proper NTLM negotiation -- or rather, that's what the results
indicate. I don't know what the handshake looks like, as it's all
localhost so I can't sniff it with Wireshark.
-----------------------------------
This happens regardless whether the application pool is set to run as
Network Service or Local System. Is there some permission that IIS is
lacking in order to perform this NTLM authentication?
Thanks
Jason
[1] using the call WinHttpSetCredentials( hRequest,
WINHTTP_AUTH_TARGET_SERVER, WINHTTP_AUTH_SCHEME_NTLM, NULL, NULL, NULL))