Re: WebDAV problem with digest authentication behind firewall

From: Remco (Remco_at_discussions.microsoft.com)
Date: 07/28/04 

Date: Wed, 28 Jul 2004 02:05:03 -0700

Yes, I'm using IIS 6.0 on a windows 2003 enterprise server which is member of a windows 2000 ads.

It doesn't matter what I use a host name or IP-adres. The result is the same, both internal and external.

I only use digest authentication.

"Bernard" wrote:

> So you are using IIS 6.0, the order of log field is different from 5.0 to
> 6.0.
> Now, to look further win-status = 2148074254, which stands for
> "No credentials are available in the security package"
>
> How do you access the webdav site ? IP ? Hostname ? same for
> internal and external ?
>
> Digest, it just like basic. except credential is hashed so it should work :)
> do you enable any other method other than digest auth ?
>
> it could be NAT ? but no idea...
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "Remco" <Remco@discussions.microsoft.com> wrote in message
> news:BCF47800-16A3-410B-8890-83ABD302ED95@microsoft.com...
> > 129.125.159.175 is the workstation I use to test the website form outside
> the firewall. 192.168.40.101 is the one from inside the firewall. They both
> attempt to make a connection to server 192.168.40.19. Only exception is that
> the 129.125.159.175 makes a connection using NAT to the server behind the
> firewall.
> >
> > The tests form the 2 machines were the same. They both tried making a
> connection and they both got a logon box. Only it were 2 different logon
> boxes. The machine behind the firewall got the right digest authentication
> logon box, but the other outside the firewall got a logon box similar to a
> windows integrated login. In the last box I also entered the username wees3,
> but the result in the log is similar to an anonymous user. Anonymous user
> logon is disabled so then it isn't strange that you get a 401 error. The
> only thing is why the right logonbox insn't showing and why it doesn't pass
> the logon credentials through the firewall (tcp port 80 is open).
> > When I use basic authentication it works fine form both workstations.
> >
> >
> >
> > "Bernard" wrote:
> >
> > > I'm confuse too :)
> > > there's 2 servers IP involved. 129.125.159.175 and 192.168.40.101 ?
> > > You have 401.2 when during first try for anonymous user - Logon failed
> due
> > > to server configuration. This might caused by default anonymous access,
> > > before it login as 'wees3'.. after that you get a 207 response
> > > (multi-status) ?
> > >
> > > what does the log file looks like if you are using webdav internally ?
> > >
> > > IE should has the user credential + the realm and send it to server via
> port
> > > 80. just like basic...
> > >
> > >
> > > --
> > > Regards,
> > > Bernard Cheah
> > > http://www.tryiis.com/
> > > http://support.microsoft.com/
> > > http://www.msmvps.com/bernard/
> > >
> > >
> > >
> > > "Remco" <Remco@discussions.microsoft.com> wrote in message
> > > news:1CED75AA-6AB7-4D3E-965C-005818A12D8C@microsoft.com...
> > > > Hi bernard,
> > > > Only a confirmation of what I see (except of the WebDAV Miniredir?)
> > > >
> > > > 2004-07-26 08:13:55 192.168.40.19 PROPFIND /upload - 80 -
> 129.125.159.175
> > > Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> > > > 2004-07-26 08:13:55 192.168.40.19 PROPFIND /upload - 80 -
> 129.125.159.175
> > > Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> > > > 2004-07-26 08:13:55 192.168.40.19 PROPFIND /upload - 80 -
> 129.125.159.175
> > > Microsoft-WebDAV-MiniRedir/5.1.2600 401 2 2148074254
> > > > 2004-07-26 08:36:10 192.168.40.19 PROPFIND /upload - 80 -
> 192.168.40.101
> > > Microsoft+Data+Access+Internet+Publishing+Provider+DAV 401 2 2148074254
> > > > 2004-07-26 08:36:34 192.168.40.19 PROPFIND /upload - 80 wees3
> > > 192.168.40.101 Microsoft+Data+Access+Internet+Publishing+Provider+DAV
> 207 0
> > > 0
> > > > 2004-07-26 08:36:34 192.168.40.19 PROPFIND /upload - 80 wees3
> > > 192.168.40.101 Microsoft+Data+Access+Internet+Publishing+Provider+DAV
> 207 0
> > > 0
> > > >
> > > >
> > > > I don't know excactly what the diference is between de WebDAV
> Miniredir
> > > and the Microsoft+Data+Access+Internet+Publishing+Provider+DAV . Maybe
> you?
> > > >
> > > > Regards,
> > > > Remco
> > > > University of Groningen
> > > >
> > > >
> > > >
> > > > "Bernard" wrote:
> > > >
> > > > > Weird indeed. Anything special in IIS log file ?
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Bernard Cheah
> > > > > http://www.tryiis.com/
> > > > > http://support.microsoft.com/
> > > > > http://www.msmvps.com/bernard/
> > > > >
> > > > >
> > > > >
> > > > > "Remco" <Remco@discussions.microsoft.com> wrote in message
> > > > > news:2EBB1445-1946-416A-AFAB-988A26302492@microsoft.com...
> > > > > > I'm having a strange problem while using WebDAV with digest
> > > > > authentication.
> > > > > > On my website I only use digest authentication, all other
> > > auhentication
> > > > > methods are disabled and it's working good now. The only problem is
> when
> > > > > logging in to a WebDAV upload directory through a firewall. Then I
> can't
> > > > > authenticate and I also get a authentication box similar to basic
> > > > > authentication and not the digest authentication login box. When I
> try
> > > it
> > > > > form within the firewall it's working fine for this WebDAV upload
> > > directory.
> > > > > Other digest authentication (just normal websites) are working fine,
> > > both in
> > > > > and outside the firewall.
> > > > > > On the firewall I've got a rule that allows tcp port 80. That
> should
> > > be
> > > > > enough for webDAV...
> > > > > >
> > > > > > Can anyone help me?
> > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>

Relevant Pages

  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...
    (microsoft.public.win2000.security)
  • Re: ISA SERVER NOT STARTING
    ... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • [NT] Vulnerability in Server Service Allows Code Execution (MS08-067)
    ... Vulnerability in Server Service Allows Code Execution ... This security update resolves a privately reported vulnerability in the ... Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker ... Firewall best practices and standard default ...
    (Securiteam)