WebApp Sec mailing list archives
Re: IIS 5.0 with Integrated Window Authentication
From: cc_mofo () hushmail com
Date: Thu, 7 Nov 2002 13:25:56 -0800
-----BEGIN PGP SIGNED MESSAGE----- Thanks to everyone for the responses. I've gotten APS up and running and it works as advertised, i.e. perfectly. It does of course require that any tool that I use have proxy support (whisker just got proxy support with 2.0, and even then I don't have it working against APS yet). I understand WebInspect might work, so I will try it once their license squad finishes working me over. I'll take another look at SPIKE proxy for this at some point---last time I wound up in the weeds (code weeds, that is) trying to track down why/where it didn't work. On Thu, 07 Nov 2002 11:35:23 -0800 Dave Aitel <dave () immunitysec com> wrote:
Hmm. My basterdized SPIKE Proxy NTLM auth does, in fact, work through the proxy though. Client->SPIKE Proxy->Server Where Client is sending Proxy-Authorization, and SPIKE Proxy is translating that into Authorization: and sending it to the server and so on. I get access on IIS 5.0, at least. -dave On Wed, 6 Nov 2002 23:27:54 +0100 Sebastian Flothow <sebastian () flothow de> wrote:The goofy three-message exchange that sets up the NTLM security doesn't seem to make it through the proxy,AFAIK, NTLM _can_ _not_ work through proxies, by design. It seemsitincludes the client's IP address, which then doesn't match thatof theproxy (which is the client from the server's point of view), orsomething similar. Sebastian -- Sebastian Flothow sebastian () flothow de #include <stddisclaimer.h>
-----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlwEARECABwFAj3K2l4VHGNjX21vZm9AaHVzaG1haWwuY29tAAoJEDsVajchvitlG1UA n3OnlWLqIPN1J6P7C7wSmyE+ar1oAKC3pdzrRnmMiNUI9p+by7xyLHJuNA== =cZMw -----END PGP SIGNATURE----- Get your free encrypted email at https://www.hushmail.com
Current thread:
- IIS 5.0 with Integrated Window Authentication cc_mofo (Nov 06)
- Re: IIS 5.0 with Integrated Window Authentication Haroon Meer (Nov 06)
- RE: IIS 5.0 with Integrated Window Authentication Jason Coombs (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 07)
- Re: [Spike] Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 08)
- RE: IIS 5.0 with Integrated Window Authentication Jason Coombs (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication Haroon Meer (Nov 06)
- Re: IIS 5.0 with Integrated Window Authentication Sebastian Flothow (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication sunzi (Nov 07)
- Re: IIS 5.0 with Integrated Window Authentication Dave Aitel (Nov 07)
- <Possible follow-ups>
- RE: IIS 5.0 with Integrated Window Authentication Michael Howard (Nov 06)
- Re: IIS 5.0 with Integrated Window Authentication cc_mofo (Nov 08)
- Re: IIS 5.0 with Integrated Window Authentication cc_mofo (Nov 13)