none
[MS-RPCH] Mistake detected in open specification RRS feed

  • Question

  • [MS-RPCH] Section 2.1.2.1

    http://msdn.microsoft.com/en-us/library/cc243977%28v=PROT.13%29.aspx

    If instructed by a higher-level protocol in an implementation-specific way, implementations of this protocol MUST require the HTTP implementation on the client to authenticate to the HTTP server running on the inbound proxy or outbound proxy using basic authentication for HTTP [RFC2617] or NTLM authentication for HTTP [MS-NTHT].

    should be...

    ........using basic authentication for HTTP [RFC2617] or NTLM authentication for HTTPS [MS-NTHT].

     

    Or am I wrong?

    Wednesday, December 14, 2011 10:22 AM

Answers

  • Dmitrij,

     

    Based on the following text fragments, can you clarify why you are suggesting that:

     

    … using basic authentication for HTTP [RFC2617] or NTLM authentication for HTTP [MS-NTHT].

     

    should be...

     

    ........using basic authentication for HTTP [RFC2617] or NTLM authentication for HTTPS [MS-NTHT].

     

     

    “[MS-RPCH] Section 2.1.2.1” starts with the following text.

    RPC over HTTP v2 MUST operate either on top of HTTP or on top of HTTPS. It requires HTTP 1.0 plus connection keep-alive support from HTTP 1.1. Mapping to both protocols happens identically. In this section, mapping is defined only on HTTP, but the same rules apply for HTTPS.<5>

    If instructed by a higher-level protocol in an implementation-specific way, implementations of this protocol MUST require the HTTP implementation on the client to authenticate to the HTTP server running on the inbound proxy or outbound proxy using basic authentication for HTTP [RFC2617] or NTLM authentication for HTTP [MS-NTHT].

    The higher-level protocol MUST provide, in an implementation-specific way, either credentials in the form of user name/password or a client-side certificate. Implementations of this protocol MUST NOT process the credentials or authentication information. Such processing typically happens entirely inside implementations of lower protocol layers.<6>

     

    <6> Section 2.1.2.1: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 support authentication using a client-side SSL/TLS certificate.

    Thanks,

    Edgar

    Wednesday, December 14, 2011 7:48 PM
    Moderator
  • Dmitrij,

    From your description, this appears to be an implementation issue.

    If you are using Windows SSPI, I would suggest the following forum:
     Windows Security forum
    http://social.msdn.microsoft.com/forums/en-us/windowssecurity/

    Thanks,

    Edgar

    Thursday, December 15, 2011 4:45 PM
    Moderator

All replies

  • Hi Dmitrij,

    Thank you for your question regarding MS-RPCH. One of our engineers will look into this and follow-up soon.

    Regards,

    Edgar

    Wednesday, December 14, 2011 4:01 PM
    Moderator
  • Dmitrij,

     

    Based on the following text fragments, can you clarify why you are suggesting that:

     

    … using basic authentication for HTTP [RFC2617] or NTLM authentication for HTTP [MS-NTHT].

     

    should be...

     

    ........using basic authentication for HTTP [RFC2617] or NTLM authentication for HTTPS [MS-NTHT].

     

     

    “[MS-RPCH] Section 2.1.2.1” starts with the following text.

    RPC over HTTP v2 MUST operate either on top of HTTP or on top of HTTPS. It requires HTTP 1.0 plus connection keep-alive support from HTTP 1.1. Mapping to both protocols happens identically. In this section, mapping is defined only on HTTP, but the same rules apply for HTTPS.<5>

    If instructed by a higher-level protocol in an implementation-specific way, implementations of this protocol MUST require the HTTP implementation on the client to authenticate to the HTTP server running on the inbound proxy or outbound proxy using basic authentication for HTTP [RFC2617] or NTLM authentication for HTTP [MS-NTHT].

    The higher-level protocol MUST provide, in an implementation-specific way, either credentials in the form of user name/password or a client-side certificate. Implementations of this protocol MUST NOT process the credentials or authentication information. Such processing typically happens entirely inside implementations of lower protocol layers.<6>

     

    <6> Section 2.1.2.1: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 support authentication using a client-side SSL/TLS certificate.

    Thanks,

    Edgar

    Wednesday, December 14, 2011 7:48 PM
    Moderator
  • In my implementation  after building authentication context, i could not get the connection. The server was returning RPC_S_SEC_PKG_ERROR (0x00000721). However, as I have used NTLM in HTTP authentication, this was solved. But it could be a problem with my implementation of MS-NLMP.

     

    So if that issue is not known by You, I withdraw my assertion.

    Thursday, December 15, 2011 7:38 AM
  • Dmitrij,

    From your description, this appears to be an implementation issue.

    If you are using Windows SSPI, I would suggest the following forum:
     Windows Security forum
    http://social.msdn.microsoft.com/forums/en-us/windowssecurity/

    Thanks,

    Edgar

    Thursday, December 15, 2011 4:45 PM
    Moderator