Web Application Testing

Question

User1697794668 posted

Hi there,

I am working on a web application running on IIS Web Core.

The details error info is IIS Web Core

Notification is Authentication Request

The handler is PAge HnadelrFactory-ISAPI-4.0_64bits.

The problem is I can't replay the request through Firefox Edit and Resend.

Please advise.

Answer 1

User-1330468790 posted

Hi alvinoo,

 

Could you please share a more detailed error message about the issue?

Since the problem can be various, e.g. bad modules for "ManagedPipelineHandler" or "IsapiModule", it is recommended that you post the screenshot/text for error messages so that we could narrow down the problem.

 

Thank you for understanding.

  

Best regards,

Sean 

Answer 2

User1697794668 posted

Hi there,

Please refer to the above images.

https://imgur.com/a/zjHVsKC

Answer 3

User-1330468790 posted

Hi alvinoo,

 

I can see that the error code is 401.2 which means that your server and the browser are following 2 different authentication protocols. The problem is due to the configuration of the authentication settings within IIS.

There is an explicit resolution for this error code:  Error Message: HTTP 401.2 - Unauthorized: Logon Failed Due to Server Configuration with No Authentication

Casue:

The authentication methods that were tried are either disabled, or you are attempting to use NTLM through a proxy server.

Resolution:

To resolve this problem, enable at least one authentication method. To do this, follow these steps:

1. From the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2. Under the Tree pane, browse to the desired Web site.
3. Right-click the Web site, and then click Properties.
4. On the Directory Security tab, under Anonymous access and authentication control, click Edit.
5. Select (and implement) at least one type of authentication method.

You could also Open IIS Manager (IIS 7)  from the Search box: a) Click Start. b) In the Start Search box, type inetmgr and press ENTER.

 

Related Links:

https://support.microsoft.com/en-us/help/253667/error-message-http-401.2---unauthorized-logon-failed-due-to-server-configuration-with-no-authentication

https://technet.microsoft.com/en-us/library/cc771077(v=ws.10).aspx

http://stackoverflow.com/questions/6033878/web-site-configuration

 

Hope this can help you.

Best regards,

Sean

Answer 4

User1697794668 posted

Hi Sean

The webmaster has enabled ntlm negotiate. I did login through the site via ntlm negotiate.

Yes I am trying to proxy through the server, is there any workaround?

Hi alvinoo,

 

I can see that the error code is 401.2 which means that your server and the browser are following 2 different authentication protocols. The problem is due to the configuration of the authentication settings within IIS.

There is an explicit resolution for this error code:  Error Message: HTTP 401.2 - Unauthorized: Logon Failed Due to Server Configuration with No Authentication

Casue:

The authentication methods that were tried are either disabled, or you are attempting to use NTLM through a proxy server.

Resolution:

To resolve this problem, enable at least one authentication method. To do this, follow these steps:

1. From the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2. Under the Tree pane, browse to the desired Web site.
3. Right-click the Web site, and then click Properties.
4. On the Directory Security tab, under Anonymous access and authentication control, click Edit.
5. Select (and implement) at least one type of authentication method.

You could also Open IIS Manager (IIS 7)  from the Search box: a) Click Start. b) In the Start Search box, type inetmgr and press ENTER.

 

Related Links:

https://support.microsoft.com/en-us/help/253667/error-message-http-401.2---unauthorized-logon-failed-due-to-server-configuration-with-no-authentication

https://technet.microsoft.com/en-us/library/cc771077(v=ws.10).aspx

http://stackoverflow.com/questions/6033878/web-site-configuration

 

Hope this can help you.

Best regards,

Sean

Answer 5

User1697794668 posted

Hi there,

Seperately I want to ask: 

runas /user:domain.com\user01 “C:\Program Files\Internet Explorer\iexplore.exe“

If I were to run the following is it the same as enter the username and password in the browser when there is a pop up

Answer 6

User-1330468790 posted

Hi alvinoo, 

 

It is a bit complicated so that you probably will feel below content is too much.

First of all, the negotiate and NTLM are different authentications.

In short, Negotiate = Kerberos = Ticket and NTLM = Username & Password.

Explanation from Document:

Negotiate authentication automatically selects between the Kerberos protocol and NTLM authentication, depending on availability. The Kerberos protocol is used if it is available; otherwise, NTLM is tried. Kerberos authentication significantly improves upon NTLM. Kerberos authentication is both faster than NTLM and allows the use of mutual authentication and delegation of credentials to remote machines.

NT LAN Manager (NTLM) authentication is a challenge-response scheme that is a securer variation of Digest authentication. NTLM uses Windows credentials to transform the challenge data instead of the unencoded user name and password. NTLM authentication requires multiple exchanges between the client and server. The server and any intervening proxies must support persistent connections to successfully complete the authentication.

If you want to identify which cause the problem, you could use a capture tool (such as fiddler or wireshark) to check the differences between them.

You could follow this if you have interest: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/Two-easy-_2800_easier_3F002900_-ways-to-determine-Kerberos-from-NTLM-in-a-HTTP-capture.aspx

 

Reason => NTLM with proxy

However, the problem is that a proxy might not understand the NTLM correctly over HTTP/HTTPS. Integrated Authentication (NTLM) is a connection-based authentication protocol, meaning that an authenticated connection between a client and server is the only proof of authenticity. This works fine in Intranet scenarios, but for Internet scenarios a lot of network devices in between the client and server can either not support or mishandle NTLM (such as Proxy Server connection pooling/multiplexing), causing unexpected 401.2. 

 

Suggestions:

I think there are two options for resolving this 401.2 error.

• Change the NTLM to another proper authentication, e.g. Kerberos.
• Use a proxy server which supports the persistent connections.

 

Related:

https://forums.iis.net/t/1205693.aspx

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/understanding-http-authentication

 

Hope this can help you.

Best regards,

Sean

Answer 7

User1697794668 posted

Hi Sean, 

I have managed to proxy the NTLM authentication.

Can I clarify that the application if the user is using NTLM authentication on the windows, the user will not be logged out unless the user logs out completely?