You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Martin Kraemer <Ma...@Fujitsu-Siemens.com> on 2001/09/17 16:22:45 UTC
WWW-Authenticate: Negotiate
I just noticed a feature of IIS 5.0 which is (if I am correct)
impossible to do with Apache (1.3/2.0), albeit very useful. It
is the the possibility to use multiple authentication schemes
in parallel, with the client selecting the most appropriate
version.
Without much explanation, here's a response header of IIS5 for a
request requiring authentication:
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/5.0
Date: Mon, 17 Sep 2001 14:01:05 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="my.fsc.net"
Set-Cookie: RQFW={CC8D82ED-2EC6-446D-8013-68DA01CFE353}; path=/;
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1509
For Apache, the alternatives "Basic" and "Digest" would be more appropriate,
of course. But AFAICS Apache does not allow for accepting multiple
schemes alternatively.
In RFC2617, I find a reference of multiple WWW-Authenticate headers:
> 4.6 Weakness Created by Multiple Authentication Schemes
>
> An HTTP/1.1 server may return multiple challenges with a 401 (Authenticate) response, and each challenge may use a different auth-scheme. A user agent MUST choose to use the
> strongest auth- scheme it understands and request credentials from the user based upon that challenge.
>
> Note that many browsers will only recognize Basic and will require that it be the first auth-scheme presented. Servers should only include Basic if it is minimally acceptable.
>
> When the server offers choices of authentication schemes using the WWW-Authenticate header, the strength of the resulting authentication is only as good as that of the of the
> weakest of the authentication schemes. See section 4.8 below for discussion of particular attack scenarios that exploit multiple authentication schemes.
Now my question is:
* is this feature standardized? (The first "WWW-Authenticate: Negotiate"
looks fishy to me)
* how could Apache be configured to support multiple auth schemes for
a given resource in parallel? Currently, "AuthType Digest" allows
only one argument, and using it multiple times just replaces the
current setting.
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
Re: WWW-Authenticate: Negotiate
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Martin Kraemer wrote:
>
> I just noticed a feature of IIS 5.0 which is (if I am correct)
> impossible to do with Apache (1.3/2.0), albeit very useful. It
> is the the possibility to use multiple authentication schemes
> in parallel, with the client selecting the most appropriate
> version.
Someone submitted a patch, or at least a discussion of the
subject, to new-httpd about two years ago ISTR. I would like
to see the capability in the server, since it will help
digest deploy (as well as being more secure).
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
Re: WWW-Authenticate: Negotiate
Posted by Dirk-Willem van Gulik <di...@covalent.net>.
Did not someone make a patch for this early after the feature was in IE 4?
Dw
On Mon, 17 Sep 2001, Martin Kraemer wrote:
> I just noticed a feature of IIS 5.0 which is (if I am correct)
> impossible to do with Apache (1.3/2.0), albeit very useful. It
> is the the possibility to use multiple authentication schemes
> in parallel, with the client selecting the most appropriate
> version.
>
> Without much explanation, here's a response header of IIS5 for a
> request requiring authentication:
>
> HTTP/1.1 401 Unauthorized
> Server: Microsoft-IIS/5.0
> Date: Mon, 17 Sep 2001 14:01:05 GMT
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM
> WWW-Authenticate: Basic realm="my.fsc.net"
> Set-Cookie: RQFW={CC8D82ED-2EC6-446D-8013-68DA01CFE353}; path=/;
> Cache-Control: private
> Content-Type: text/html; charset=utf-8
> Content-Length: 1509
>
> For Apache, the alternatives "Basic" and "Digest" would be more appropriate,
> of course. But AFAICS Apache does not allow for accepting multiple
> schemes alternatively.
>
> In RFC2617, I find a reference of multiple WWW-Authenticate headers:
>
> > 4.6 Weakness Created by Multiple Authentication Schemes
> >
> > An HTTP/1.1 server may return multiple challenges with a 401 (Authenticate) response, and each challenge may use a different auth-scheme. A user agent MUST choose to use the
> > strongest auth- scheme it understands and request credentials from the user based upon that challenge.
> >
> > Note that many browsers will only recognize Basic and will require that it be the first auth-scheme presented. Servers should only include Basic if it is minimally acceptable.
> >
> > When the server offers choices of authentication schemes using the WWW-Authenticate header, the strength of the resulting authentication is only as good as that of the of the
> > weakest of the authentication schemes. See section 4.8 below for discussion of particular attack scenarios that exploit multiple authentication schemes.
>
> Now my question is:
>
> * is this feature standardized? (The first "WWW-Authenticate: Negotiate"
> looks fishy to me)
>
> * how could Apache be configured to support multiple auth schemes for
> a given resource in parallel? Currently, "AuthType Digest" allows
> only one argument, and using it multiple times just replaces the
> current setting.
>
> Martin
>