Digest Auth fix for IIS 5

Posted By: Maurits | Apr 15th, 2006 @ 10:24 AM
page 1 of 1
Comments: 2 | Views: 5247 | Downloads: 180
#Apr 15th, 2006 @ 10:24 AM
Maurits
Maurits
AKA Matthew van Eerde
Download:Link for Digest Auth fix for IIS 5(0 Bytes)
IIS 5 has a bug that blocks Digest Authentication from browsers that follow the standard strictly.

This was fixed in IIS 6.

But for all the IIS 5 server admins out there, this is small comfort.

Especially since IE7 is going to display a security warning for Basic Authentication.

So on the advice of Microsoft Product Support Services, I have written a small ISAPI filter to work around this bug in IIS 5.

If you have an IIS 5 server, and want to offer Digest Authentication to non-IE browsers, this may be of use to you.

I offer this to anyone who wants to use it, with no obligation.

Caveat: if it hoses your server, I claim no responsibility.  Bear in mind that once an ISAPI is loaded successfully, IIS won't release the lock on the DLL until you restart the IIS Admin service.

In the interests of early release, there are some known issues...

The design isn't the prettiest.  For example, strlen(FIND_IN_HEADER) is calculated on every request, even though that's a constant string.  (Hopefully the compiler is smart enough to optimize that one out.)

I used the MFC ISAPI wizard, but I'm not sure whether the MFC bit is necessary.  So this could probably be lightened up.

The rewriter doesn't check to see whether the Authorization: header is really a Digest header (should start with Digest.)  This would be an easy fix... I'll implement it soon.

EDIT 4/17/2006
* Removed MFC stuff after reading David Wang's unrecommendation of MFC ISAPIs
* Check that header begins with "Digest "
* Change algorithm=MD5 -> algorithm="MD5" as well as qop=auth -> qop="auth"
#Apr 17th, 2006 @ 3:53 PM
Maurits
Maurits
AKA Matthew van Eerde
I just noticed Eric Law (of the IE team)'s comment

Eric Law [MSFT] wrote:

For what it's worth, the WDigest component does have a registry override that can cause it (and IE7) to not quote the QOP parameter.

This isn't terribly useful, however, as servers appear to be robust in the face of receiving the unneeded quotes. 

(my emphasis)

Ah, would that they (IIS5) were equally "robust" in the face of not receiving the incorrect quotes. Sad
#Sep 8th @ 7:13 PM
dt8884
dt8884

I know this is really old, but IIS7 seems to have the same problem that IIS5 had with not accepting the proper QOP parameters.  I tried to implement the .dll as is from the Release folder in that download, but it just broke my authentication instead.  I was hoping you could recreate the ISAPI filter for IIS7.  I attempted to recompile the code, but it wouldn't work for me.  I'm not very tallented when it comes to this level of programming.

 

Here's hoping you even get this message.  Big Smile

page 1 of 1
Comments: 2 | Views: 5247 | Downloads: 180
Microsoft Communities