473,320 Members | 2,094 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Authorize HTTPHeader

Hi all, I’m trying to read a values out of the ‘authorization’ host header. I can get the values easily enough, but the ‘authorization’ header is somewhat allusive.

For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal – future auth not required/port secure]

The site does not allow anonymous connections so I assume the first two steps happen at an IIS level with ASP.NET having no knowledge. It seems that it should be possible to determine the successful second request with credentials. Unfortunately I am only seeing spotty results on the connection.

If I run in debug [(A) –> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate with the exact same machine settings.
If I deploy the project to an intermediary server [A –> (B) –> Server] sometimes B sees the authorization requests, sometimes not.

I am passing good credentials and reciving validation because even when I'm not seeing the Authorization header (writing to the event log), the site is still allowing access - the vdir is restricted to Integrated Windows Authentication.

[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.Get Values(header))
{
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue);
if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");}
try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");}
try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.C onvert.FromBase64String(tail));
}
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I’m looking to determine if the client browser’s authorization scheme is NTLMSSP, I just can’t reliably get this information.

Thanks for any ideas,
Bill

Nov 18 '05 #1
2 1144
if you use ntml, then it goes like theis

client -> server [request]
client <- server [401 ntml] -- list valid auth protocols

client ->server [ntlm challenge] connection left open
client <- server [ntlm response] connection left open

client->server [request] (no auth header required - as the authencation was
already done)
client<-server [response 200]
as ntml requires keepalive (http 1.1), the auth header is not sent on every
request.

-- bruce (sqlwork.com)
"Bill Belliveau" <an*******@discussions.microsoft.com> wrote in message
news:1B**********************************@microsof t.com...
Hi all, I'm trying to read a values out of the 'authorization' host header. I can get the values easily enough, but the 'authorization' header
is somewhat allusive.
For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal - future auth not required/port secure]
The site does not allow anonymous connections so I assume the first two steps happen at an IIS level with ASP.NET having no knowledge. It seems
that it should be possible to determine the successful second request with
credentials. Unfortunately I am only seeing spotty results on the
connection.
If I run in debug [(A) -> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate with the exact same machine settings. If I deploy the project to an intermediary server [A -> (B) -> Server] sometimes B sees the authorization requests, sometimes not.
I am passing good credentials and reciving validation because even when I'm not seeing the Authorization header (writing to the event log), the site
is still allowing access - the vdir is restricted to Integrated Windows
Authentication.
[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.Get Values(header)) {
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue); if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");} try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");} try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.C onvert.FromBase64String(ta
il)); }
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I'm looking to determine if the client browser's authorization scheme is NTLMSSP, I just can't reliably get this information.
Thanks for any ideas,
Bill

Nov 18 '05 #2
Thanks for the information Bruce

Progress
By taking the code out of Session_Start and moving it to Application_AuthenticateRequest I am able to see the authorization header every time. Session_Start would return authorization however it seemed rather sporadic

We are building an interoffice application that will utilize Windows Authentication. By reading the authorization host header we should be able to determine if ‘Integrated Windows Authentication’ (IWA) is available. I’ve been told in IE 5.5 it’s always enabled and in IE 6 it appears as a checkbox; (Tools ->Internet Options -> Advanced -> Security -> Enable Integrated Windows Authentication

The code snippet should determine if this box is checked in IE 6. I’ve understand after decoding the authorization header, the first seven characters should be NTLMSSP when IWA is enabled. Test cases are a bit confusing however
Our product reads the Active Directory, so the test cases are

A = Local machine hosting sit
B = Remote machine hosting sit
C = Active Director
Local [A -> C
Remote [A -> B - >C

Location / IWA checkbox (IE6) / Auth Type / Auth decode

Local / enabled / negotiate / NTLMSSP (success
Local / disabled / NTML / NTLMSSP (success
Remote / enabled / negotiate / != NTLMSSP (success
Remote / disabled / NTLM / NTLMSSP (failure

This information isn’t very useful or I’m doing something wrong

Using Application_AuthenticateRequest brings up a second issue, it appears that the Application_AuthenticateRequest executes before Session_Start, consequently there isn’t a session. Without a session I don’t know who to give the error to at a later time

Any and all feedback is appreciated
Bill
Nov 18 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: William C. White | last post by:
Does anyone know of a way to use PHP /w Authorize.net AIM without using cURL? Our website is hosted on a shared drive and the webhost company doesn't installed additional software (such as cURL)...
1
by: GluedToTheScreen | last post by:
I have a small PHP ecommerce site set up using Authorize.net's SIM (simple) interface. Working fine, but... I'd like to implement their AIM interface (so visitor's will never see the gateway's...
1
by: machodev | last post by:
Hello Friends, Getting a bit fuzzy on the Authorize.net and the Curl Integration. I have the script using the for the authorize.net Integration with the curl command exec("/usr/local/bin -m...
0
by: tanya.kumar | last post by:
Hi Can anyone please provide me with authorize.net AIM's asp script to parse the response data. Do respond to this please. Thanks, Tanya
0
by: GM | last post by:
Is there an example of using Authorize.net SIM to process payment from C#/ASP.net? thanks,
3
by: Blue | last post by:
I'm using Authorize.net as my payment gateway and as of approx 7pm PST on 12/26/05, no payments have gone through from my website. (However, I can still process payments through the Auth net...
1
by: jesmi | last post by:
i created my test account in authorize.net. but it didn't provide me the username and password. i want to use authorize.net by using my test account.so anybody please help me. thanks in advance
4
by: Adrienne Boswell | last post by:
Does anyone know if it is possible to do recurring billing to Authorize.net using ASP Classic. I have no problem doing one time transactions. -- Adrienne Boswell at Home Arbpen Web Site Design...
2
by: singh.udaybir | last post by:
What are the Steps to make Shopping Cart From Test Account to Live Account . in which files changes are to be made and what changes. Authorize.net + OsCommererce using
1
by: vanitha05 | last post by:
hi everyone, In my application I am trying to get the response from authorize .net ,if i am using HTTP web response i am able to the response from site like approved or failed etc but if i mention...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.