Re: IIS 5.0 with Integrated Window Authentication

From: cc_mofoat_private
Date: Thu Nov 07 2002 - 13:25:56 PST

Next message: Michael Howard: "RE: IIS 5.0 with Integrated Window Authentication"

Previous message: Haroon Meer: "Re: IIS 5.0 with Integrated Window Authentication"
Maybe in reply to: cc_mofoat_private: "IIS 5.0 with Integrated Window Authentication"
Next in thread: Michael Howard: "RE: IIS 5.0 with Integrated Window Authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Thanks to everyone for the responses.  I've gotten APS up and running and it works as advertised, i.e. perfectly.  It does of course require that any tool that I use have proxy support (whisker just got proxy support with 2.0, and even then I don't have it working against APS yet).

I understand WebInspect might work, so I will try it once their license squad finishes working me over.

I'll take another look at SPIKE proxy for this at some point---last time I wound up in the weeds (code weeds, that is) trying to track down why/where it didn't work.

On Thu, 07 Nov 2002 11:35:23 -0800 Dave Aitel <daveat_private> wrote:
>Hmm. My basterdized SPIKE Proxy NTLM auth does, in fact, work through
>the proxy though.
>
>Client->SPIKE Proxy->Server
>
>Where Client is sending Proxy-Authorization, and SPIKE Proxy is
>translating that into Authorization: and sending it to the server
>and so
>on. I get access on IIS 5.0, at least.
>
>
>-dave
>
>On Wed, 6 Nov 2002 23:27:54 +0100
>Sebastian Flothow <sebastianat_private> wrote:
>
>> > The goofy three-message exchange that sets up the NTLM security
>> > doesn't seem to make it through the proxy,
>>
>> AFAIK, NTLM _can_ _not_ work through proxies, by design. It seems
>it
>> includes the client's IP address, which then doesn't match that
>of the
>>
>> proxy (which is the client from the server's point of view), or
>
>> something similar.
>>
>>
>> Sebastian
>>
>> --
>> Sebastian Flothow
>> sebastianat_private
>> #include <stddisclaimer.h>
>>
>>
>
>
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj3K2l4VHGNjX21vZm9AaHVzaG1haWwuY29tAAoJEDsVajchvitlG1UA
n3OnlWLqIPN1J6P7C7wSmyE+ar1oAKC3pdzrRnmMiNUI9p+by7xyLHJuNA==
=cZMw
-----END PGP SIGNATURE-----




Get your free encrypted email at https://www.hushmail.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Michael Howard: "RE: IIS 5.0 with Integrated Window Authentication"
Previous message: Haroon Meer: "Re: IIS 5.0 with Integrated Window Authentication"
Maybe in reply to: cc_mofoat_private: "IIS 5.0 with Integrated Window Authentication"
Next in thread: Michael Howard: "RE: IIS 5.0 with Integrated Window Authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 09 2002 - 00:27:37 PST