Digest Authentication

TheMSsForum.com: The Microsoft Software Forum

Hi

I'm running IIS 5.x on a stand-alone windows 2000 pro connected to the
internet with all the latest security patches installed and using Zone
Alarm Pro as firewall. I have no PDC or BDC for that matter.

When I check the box Integrated Windows authentication in the
authentication window it takes forever to load the asp 3.0 page. But
when I check the box Basic authentication?. instead the asp pages
loads almost immediately. The box Digest Authentication is checked but
grayed out and cannot be changed at least not from this window.

My first question. Am I running an Active Directory Server? As I have
read that this has something to do with Digest Authentication. I don't
think so but how can I disable it. And is this the reason for the lag?

Here are the NTFS permissions on the folder which is not buy the way
is located under wwwroot but on an other partition

Admin full
IUSR read & execute & write
IWAM read & execute & write
NETWORK read & execute
SYSTEM full


Here are some particulars for the Virtual Directory

The designated directory

Scripts source access
read
write

This is NOT an application but a more secure folder under the root.
Execute permissions Scripts Only

My second questing is. Why does the users/clients get the login
window? Didn't I give the permissions
for anonymous access to the website with above settings?

My third second question which might not belong here but I'm trying:
Does asp pages writing to a database always need the write permission
on the folder & virtual directory?

Many thanks for your reply and attention to this matter on beforehand.
Top

Re: Digest Authentication by Ken

Ken
Sat May 08 05:47:20 CDT 2004

Hi,

If you are using a stand alone server that is not part of a Windows Domain,
then you can not use Digest Authentication. Digest Authentication can only
be used for Domain accounts, which requires the server to be part of a
Windows Domain.

You should not need "Script Source Access", nor Write unless you are using
WebDAV publishing. Otherwise, leaving this on is a security risk.

To enable anonymous access, you need to check the "Allow Anonymous Access"
box. THis means IIS impersonates the configured anonymous user account.
Otherwise, if you turn this off, the user must manually provide user
credentials.

For writing to databases, it depends on the database. If you are talking
about an *access* database, or similar file-based database, then "yes", the
account being impersonated by IIS (Anonymous User, or otherwise) needs
appropriate permissions to the file, and the folder that the file is in. For
Access, the account needs Read and Write, and Creator/Owner should have
"Full Control". There is no requirement that this folder be inside the
webroot. It would be safer to store it outside the Webroot.

Cheers
Ken

"Kim Lots" <nomail@forme.com> wrote in message
news:obbp905mma9l1qe4g53kbkuff3g4jnb8c6@4ax.com...
: Hi
:
: I'm running IIS 5.x on a stand-alone windows 2000 pro connected to the
: internet with all the latest security patches installed and using Zone
: Alarm Pro as firewall. I have no PDC or BDC for that matter.
:
: When I check the box Integrated Windows authentication in the
: authentication window it takes forever to load the asp 3.0 page. But
: when I check the box Basic authentication.. instead the asp pages
: loads almost immediately. The box Digest Authentication is checked but
: grayed out and cannot be changed at least not from this window.
:
: My first question. Am I running an Active Directory Server? As I have
: read that this has something to do with Digest Authentication. I don't
: think so but how can I disable it. And is this the reason for the lag?
:
: Here are the NTFS permissions on the folder which is not buy the way
: is located under wwwroot but on an other partition
:
: Admin full
: IUSR read & execute & write
: IWAM read & execute & write
: NETWORK read & execute
: SYSTEM full
:
:
: Here are some particulars for the Virtual Directory
:
: The designated directory
:
: Scripts source access
: read
: write
:
: This is NOT an application but a more secure folder under the root.
: Execute permissions Scripts Only
:
: My second questing is. Why does the users/clients get the login
: window? Didn't I give the permissions
: for anonymous access to the website with above settings?
:
: My third second question which might not belong here but I'm trying:
: Does asp pages writing to a database always need the write permission
: on the folder & virtual directory?
:
: Many thanks for your reply and attention to this matter on beforehand.
:
:
:
:
:


Top

Re: Digest Authentication by Kim

Kim
Sat May 08 08:37:58 CDT 2004

Hi again!

And thanks for your answer, but I'm nearly giving up and I need your
help pls..

I know I have messed things up. And to correct the whole thing I have
read the instructions
on http://support.microsoft.com/?id=310344 &
http://support.microsoft.com/?id=301457
and followed the instructions at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;271071

But the users still get the ENTER NETWORK PASSWORD dialog box

What is wrong??

Folder properties

Admin full
Creator Owner full
Everyone Read & execute
Internet guest account x\IUSR read write
Launch IIS process Account x\IWAM Read & execute, list, read
NETWORK read & execute
SYSTEM full


IIS 5.x console properties for the virtual directory which is an
application.

Scripts source access
read
write

Directory security tab - edit

Anonymous box checked and anonymous user account x\IUSR with some
password I didn't choose. And basic authen..and integreted windows
boxes NOT checked. But the Digest authentication for windows domain is
checked and outgrayed, but this has no importance according to your
replay

What have I overlooked?

Thanks again






On Sat, 8 May 2004 20:47:20 +1000, "Ken Schaefer"
<kenREMOVE@THISadOpenStatic.com> wrote:

>Hi,
>
>If you are using a stand alone server that is not part of a Windows Domain,
>then you can not use Digest Authentication. Digest Authentication can only
>be used for Domain accounts, which requires the server to be part of a
>Windows Domain.
>
>You should not need "Script Source Access", nor Write unless you are using
>WebDAV publishing. Otherwise, leaving this on is a security risk.
>
>To enable anonymous access, you need to check the "Allow Anonymous Access"
>box. THis means IIS impersonates the configured anonymous user account.
>Otherwise, if you turn this off, the user must manually provide user
>credentials.
>
>For writing to databases, it depends on the database. If you are talking
>about an *access* database, or similar file-based database, then "yes", the
>account being impersonated by IIS (Anonymous User, or otherwise) needs
>appropriate permissions to the file, and the folder that the file is in. For
>Access, the account needs Read and Write, and Creator/Owner should have
>"Full Control". There is no requirement that this folder be inside the
>webroot. It would be safer to store it outside the Webroot.
>
>Cheers
>Ken
>
>"Kim Lots" <nomail@forme.com> wrote in message
>news:obbp905mma9l1qe4g53kbkuff3g4jnb8c6@4ax.com...
>: Hi
>:
>: I'm running IIS 5.x on a stand-alone windows 2000 pro connected to the
>: internet with all the latest security patches installed and using Zone
>: Alarm Pro as firewall. I have no PDC or BDC for that matter.
>:
>: When I check the box Integrated Windows authentication in the
>: authentication window it takes forever to load the asp 3.0 page. But
>: when I check the box Basic authentication.. instead the asp pages
>: loads almost immediately. The box Digest Authentication is checked but
>: grayed out and cannot be changed at least not from this window.
>:
>: My first question. Am I running an Active Directory Server? As I have
>: read that this has something to do with Digest Authentication. I don't
>: think so but how can I disable it. And is this the reason for the lag?
>:
>: Here are the NTFS permissions on the folder which is not buy the way
>: is located under wwwroot but on an other partition
>:
>: Admin full
>: IUSR read & execute & write
>: IWAM read & execute & write
>: NETWORK read & execute
>: SYSTEM full
>:
>:
>: Here are some particulars for the Virtual Directory
>:
>: The designated directory
>:
>: Scripts source access
>: read
>: write
>:
>: This is NOT an application but a more secure folder under the root.
>: Execute permissions Scripts Only
>:
>: My second questing is. Why does the users/clients get the login
>: window? Didn't I give the permissions
>: for anonymous access to the website with above settings?
>:
>: My third second question which might not belong here but I'm trying:
>: Does asp pages writing to a database always need the write permission
>: on the folder & virtual directory?
>:
>: Many thanks for your reply and attention to this matter on beforehand.
>:
>:
>:
>:
>:
>

Top

Re: Digest Authentication by Ken

Ken
Sat May 08 08:47:31 CDT 2004

Please look in the WIndows Event Log (Start -> Settings -> Control Panel ->
Admin Tools -> Event Viewer). Do you see any errors? If so, please post the
Event ID, Event Source and Description.

It sounds like IIS is having problems impersonating the IUSR account, and
because it can't do so, it is asking the user to supply alternate valid
credentials.

a) In IIS, you do not need Script Source or Write permissions unless you
using WebDAV. Enabling these things is a security risk (it allows people to
write files to your server, and access the source code of ASP files etc)

b) the IUSR and IWAM accounts should have NTFS Read (RX) permission only,
not NTFS Write permissions. Easiest thing to do is to just give the
Everyone group Read (RX) permissions.

Cheers
Ken

"Kim Lots" <nomail@forme.com> wrote in message
news:aiop90tn8e3cq1mc7nu1j47qr94ggeci6f@4ax.com...
: Hi again!
:
: And thanks for your answer, but I'm nearly giving up and I need your
: help pls..
:
: I know I have messed things up. And to correct the whole thing I have
: read the instructions
: on http://support.microsoft.com/?id=310344 &
: http://support.microsoft.com/?id=301457
: and followed the instructions at
: http://support.microsoft.com/default.aspx?scid=kb;EN-US;271071
:
: But the users still get the ENTER NETWORK PASSWORD dialog box
:
: What is wrong??
:
: Folder properties
:
: Admin full
: Creator Owner full
: Everyone Read & execute
: Internet guest account x\IUSR read write
: Launch IIS process Account x\IWAM Read & execute, list, read
: NETWORK read & execute
: SYSTEM full
:
:
: IIS 5.x console properties for the virtual directory which is an
: application.
:
: Scripts source access
: read
: write
:
: Directory security tab - edit
:
: Anonymous box checked and anonymous user account x\IUSR with some
: password I didn't choose. And basic authen..and integreted windows
: boxes NOT checked. But the Digest authentication for windows domain is
: checked and outgrayed, but this has no importance according to your
: replay
:
: What have I overlooked?
:
: Thanks again
:
:
:
:
:
:
: On Sat, 8 May 2004 20:47:20 +1000, "Ken Schaefer"
: <kenREMOVE@THISadOpenStatic.com> wrote:
:
: >Hi,
: >
: >If you are using a stand alone server that is not part of a Windows
Domain,
: >then you can not use Digest Authentication. Digest Authentication can
only
: >be used for Domain accounts, which requires the server to be part of a
: >Windows Domain.
: >
: >You should not need "Script Source Access", nor Write unless you are
using
: >WebDAV publishing. Otherwise, leaving this on is a security risk.
: >
: >To enable anonymous access, you need to check the "Allow Anonymous
Access"
: >box. THis means IIS impersonates the configured anonymous user account.
: >Otherwise, if you turn this off, the user must manually provide user
: >credentials.
: >
: >For writing to databases, it depends on the database. If you are talking
: >about an *access* database, or similar file-based database, then "yes",
the
: >account being impersonated by IIS (Anonymous User, or otherwise) needs
: >appropriate permissions to the file, and the folder that the file is in.
For
: >Access, the account needs Read and Write, and Creator/Owner should have
: >"Full Control". There is no requirement that this folder be inside the
: >webroot. It would be safer to store it outside the Webroot.
: >
: >Cheers
: >Ken
: >
: >"Kim Lots" <nomail@forme.com> wrote in message
: >news:obbp905mma9l1qe4g53kbkuff3g4jnb8c6@4ax.com...
: >: Hi
: >:
: >: I'm running IIS 5.x on a stand-alone windows 2000 pro connected to the
: >: internet with all the latest security patches installed and using Zone
: >: Alarm Pro as firewall. I have no PDC or BDC for that matter.
: >:
: >: When I check the box Integrated Windows authentication in the
: >: authentication window it takes forever to load the asp 3.0 page. But
: >: when I check the box Basic authentication.. instead the asp pages
: >: loads almost immediately. The box Digest Authentication is checked but
: >: grayed out and cannot be changed at least not from this window.
: >:
: >: My first question. Am I running an Active Directory Server? As I have
: >: read that this has something to do with Digest Authentication. I don't
: >: think so but how can I disable it. And is this the reason for the lag?
: >:
: >: Here are the NTFS permissions on the folder which is not buy the way
: >: is located under wwwroot but on an other partition
: >:
: >: Admin full
: >: IUSR read & execute & write
: >: IWAM read & execute & write
: >: NETWORK read & execute
: >: SYSTEM full
: >:
: >:
: >: Here are some part