473,396 Members | 1,843 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > c# / c sharp > questions > authorize httpheader

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Authorize HTTPHeader

Hi all, I’m trying to read a values out of the ‘authorization’ host header. I can get the values easily enough, but the ‘authorization’ header is somewhat allusive.

For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal – future auth not required/port secure]

The site does not allow anonymous connections so I assume the first two steps happen at an IIS level with ASP.NET having no knowledge. It seems that it should be possible to determine the successful second request with credentials. Unfortunately I am only seeing spotty results on the connection.

If I run in debug [(A) –> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate with the exact same machine settings.
If I deploy the project to an intermediary server [A –> (B) –> Server] sometimes B sees the authorization requests, sometimes not.

I am passing good credentials and reciving validation because even when I'm not seeing the Authorization header (writing to the event log), the site is still allowing access - the vdir is restricted to Integrated Windows Authentication.

[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.Get Values(header))
{
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue);
if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");}
try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");}
try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.C onvert.FromBase64String(tail));
}
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I’m looking to determine if the client browser’s authorization scheme is NTLMSSP, I just can’t reliably get this information.

Thanks for any ideas,
Bill

Nov 15 '05 #1
2 6993
if you use ntml, then it goes like theis

client -> server [request]
client <- server [401 ntml] -- list valid auth protocols

client ->server [ntlm challenge] connection left open
client <- server [ntlm response] connection left open

client->server [request] (no auth header required - as the authencation was
already done)
client<-server [response 200]
as ntml requires keepalive (http 1.1), the auth header is not sent on every
request.

-- bruce (sqlwork.com)
"Bill Belliveau" <an*******@discussions.microsoft.com> wrote in message
news:1B**********************************@microsof t.com...
Hi all, I'm trying to read a values out of the 'authorization' host header. I can get the values easily enough, but the 'authorization' header
is somewhat allusive.
For connections requiring authorization the process appears to flow:
Client -> Server [request]
Client <- Server [401]
Client -> Server [request +auth]
(success)
Client <-> Server [request/response normal - future auth not required/port secure]
The site does not allow anonymous connections so I assume the first two steps happen at an IIS level with ASP.NET having no knowledge. It seems
that it should be possible to determine the successful second request with
credentials. Unfortunately I am only seeing spotty results on the
connection.
If I run in debug [(A) -> Server] I (A) can see authorization requests.
Sometimes the Authorization comes up as NTLM and other times as Negotiate with the exact same machine settings. If I deploy the project to an intermediary server [A -> (B) -> Server] sometimes B sees the authorization requests, sometimes not.
I am passing good credentials and reciving validation because even when I'm not seeing the Authorization header (writing to the event log), the site
is still allowing access - the vdir is restricted to Integrated Windows
Authentication.
[code snippet in Global.asax session_start]

string strMessage = "No message";
foreach(string header in System.Web.HttpContext.Current.Request.Headers)
{
foreach(string headerValue in System.Web.HttpContext.Current.Request.Headers.Get Values(header)) {
strMessage = String.Format("Header Name: {0}\nHeader Value: {1}", header ,headerValue); if(header == "Authorization")
{
string s = "";
string head = "";
string tail = "";
try{head = headerValue.Split(' ')[0];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("head failed");} try{tail = headerValue.Split(' ')[1];}
catch(Exception ex){System.Diagnostics.Debug.WriteLine("tail failed");} try
{
s = System.Text.ASCIIEncoding.ASCII.GetString(System.C onvert.FromBase64String(ta
il)); }
catch{System.Diagnostics.Debug.WriteLine("Binary Base64")}
finally
{
strMessage += "\nAuthHttpHeader Decoded: " + s;
}
}
System.Diagnostics.Debug.WriteLine(strMessage);
}
}

[snippet end]

Overall I'm looking to determine if the client browser's authorization scheme is NTLMSSP, I just can't reliably get this information.
Thanks for any ideas,
Bill

Nov 15 '05 #2
Thanks for the information Bruce

Progress
By taking the code out of Session_Start and moving it to Application_AuthenticateRequest I am able to see the authorization header every time. Session_Start would return authorization however it seemed rather sporadic

We are building an interoffice application that will utilize Windows Authentication. By reading the authorization host header we should be able to determine if ‘Integrated Windows Authentication’ (IWA) is available. I’ve been told in IE 5.5 it’s always enabled and in IE 6 it appears as a checkbox; (Tools ->Internet Options -> Advanced -> Security -> Enable Integrated Windows Authentication

The code snippet should determine if this box is checked in IE 6. I’ve understand after decoding the authorization header, the first seven characters should be NTLMSSP when IWA is enabled. Test cases are a bit confusing however
Our product reads the Active Directory, so the test cases are

A = Local machine hosting sit
B = Remote machine hosting sit
C = Active Director
Local [A -> C
Remote [A -> B - >C

Location / IWA checkbox (IE6) / Auth Type / Auth decode

Local / enabled / negotiate / NTLMSSP (success
Local / disabled / NTML / NTLMSSP (success
Remote / enabled / negotiate / != NTLMSSP (success
Remote / disabled / NTLM / NTLMSSP (failure

This information isn’t very useful or I’m doing something wrong

Using Application_AuthenticateRequest brings up a second issue, it appears that the Application_AuthenticateRequest executes before Session_Start, consequently there isn’t a session. Without a session I don’t know who to give the error to at a later time

Any and all feedback is appreciated
Bill
Nov 15 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
PHP & Authorize.net w/o cURL?
by: William C. White | last post by:
Does anyone know of a way to use PHP /w Authorize.net AIM without using cURL? Our website is hosted on a shared drive and the webhost company doesn't installed additional software (such as cURL)...
PHP
1
interfacing to Authorize.net using AIM method and cURL
by: GluedToTheScreen | last post by:
I have a small PHP ecommerce site set up using Authorize.net's SIM (simple) interface. Working fine, but... I'd like to implement their AIM interface (so visitor's will never see the gateway's...
PHP
1
Authorize.net and Curl Problem
by: machodev | last post by:
Hello Friends, Getting a bit fuzzy on the Authorize.net and the Curl Integration. I have the script using the for the authorize.net Integration with the curl command exec("/usr/local/bin -m...
PHP
2
Authorize HTTPHeader
by: Bill Belliveau | last post by:
Hi all, I’m trying to read a values out of the ‘authorization’ host header. I can get the values easily enough, but the ‘authorization’ header is somewhat allusive. For connections...
.NET Framework
0
Authorize.net AIM ASP Script
by: tanya.kumar | last post by:
Hi Can anyone please provide me with authorize.net AIM's asp script to parse the response data. Do respond to this please. Thanks, Tanya
ASP / Active Server Pages
3
Problem with Authorize.net
by: Blue | last post by:
I'm using Authorize.net as my payment gateway and as of approx 7pm PST on 12/26/05, no payments have gone through from my website. (However, I can still process payments through the Auth net...
ASP / Active Server Pages
1
authorize.net
by: jesmi | last post by:
i created my test account in authorize.net. but it didn't provide me the username and password. i want to use authorize.net by using my test account.so anybody please help me. thanks in advance
General
4
Authorize.net
by: Adrienne Boswell | last post by:
Does anyone know if it is possible to do recurring billing to Authorize.net using ASP Classic. I have no problem doing one time transactions. -- Adrienne Boswell at Home Arbpen Web Site Design...
ASP / Active Server Pages
2
Authorize.net + OsCommerece Shopping Cart
by: singh.udaybir | last post by:
What are the Steps to make Shopping Cart From Test Account to Live Account . in which files changes are to be made and what changes. Authorize.net + OsCommererce using
PHP
1
Unable to get the response code from authorize .net
by: vanitha05 | last post by:
hi everyone, In my application I am trying to get the response from authorize .net ,if i am using HTTP web response i am able to the response from site like approved or failed etc but if i mention...
ASP.NET
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!