Trying to use Digest Authentication for Folder Protection
Posted
by Jon Hazlett
on Server Fault
See other posts from Server Fault
or by Jon Hazlett
Published on 2009-07-10T20:20:11Z
Indexed on
2010/04/03
0:03 UTC
Read the original article
Hit count: 604
StackOverflow users suggested I try my question here.
I'm using Server 2008 EE and IIS 7. I've got a site that I've migrated over from XP Pro using IIS 5.
On the old system, I was using IIS Password to use simple .htaccess files to control a couple of folders that I didn't want to be publicly viewable.
Now that I'm running a full-blown DC with a more powerful version of IIS, I decided it'd be a good idea to start using something slightly more sophisticated. After doing my research and trying to keep things as cheap as possible with a touch of extra security, I decided that Digest Authentication would be the best way to go.
My issue is this:
With Anon access disabled and Digest enabled, I am never prompted for credentials.
- when on the server, viewing domain[dot]com/example will simply show my 401.htm page without prompting me for credentials.
- when on a different network/computer, viewing domain[dot]com/example again shows my 401.htm without prompting for credentials.
At the site level I only have Anon enabled. Every subfolder, unless I want it protected, has just Anon enabled. Only the folders I want protected have Anon disabled and Digest enabled.
I have tried editing the bindings to see if that would spark any kind of change... www.domain.com, domain.com, and localhost have all been tried. There was never a change in behavior at any permutation (aside from the page not being found when I un-bound localhost to the site).
I might have screwed up when I deleted the default site from IIS. I didn't think I'd actually need it for anything, but some of what I have read online is telling me otherwise now.
As for Digest settings, I have it pointed to local.domain.com, which is the name assigned to my AD Domain. I'm guessing that's right, but honestly have no clue about what a realm actually is.
Would it matter that I have an A record for local.domain.com pointing to my IP address?
I had problems initially with an absolute link for 401.htm pages, but have since resolved that. Instead of D:\HTTP\401.htm I've used /401.htm and all is well. I used to get error 500's because it couldn't find the custom 401.htm file, but now it loads just fine.
As for some data, I was getting entries like this from access logs:
2009-07-10 17:34:12 10.0.0.10 GET /example/ - 80 - [workip] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 401 2 5 132
But after correcting my 401.htm links now get logs like this:
2009-07-10 18:56:25 10.0.0.10 GET /example - 80 - [workip] Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.0.11)+Gecko/2009060215+Firefox/3.0.11 200 0 0 146
I don't know if that means anything or not. I still don't get any credential challenges, regardless of where I try to sign in from ( my workstation, my server, my cellphone even ). The only thing that's seemed to work is viewing localhost and I donno what could be preventing authentication from finding it's way out of the server.
Thanks for any help! Jon
© Server Fault or respective owner