RE: Web Client Requests

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 27 Jan 2006 14:23:40 -0800

sbs2k@xxxxxxxxxxxxxxx

The point is that:
1. the clients know diddly (and maybe even squat) about the way the proxy is 
configured
2. unless the client is using proxy:keepalive in the client-to-proxy 
connection, each request is an introduction between the client and the proxy 

Thus, each new connection between the client and proxy incurs a new 
authentication requirement and the ball starts bouncing all over again.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, January 27, 2006 14:11
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Web Client Requests

Which forum? 

 

So here is where I get confused. If my web listener allows both 
non-authenticated and authenticated requests, then why after I allow 
non-authenticated access does ISA ever require authentication? Won't everything 
then be accepted with authentication?

 

Amy

 

________________________________

From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
Sent: Friday, January 27, 2006 3:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Web Client Requests

 

Hey guys, im forwarding this message on behalf of Jim. He posted it to another 
list and true to form it was too good an explanation not to impart on the 
masses (or the cheesemakers).

 

This traces the path of your IE (or other) http requests and explains why you 
will always see anonymous requests in your web logs. Thanks Jim

 

Greg Mulholland


>>>>>>>>>>>>>>

Correct - all web clients do exactly that.
This is also why the logs will forever contain anonymous requests even if all 
you allow are authenticated connections, because ISA will log those denied 
anonymous requests.

What you can't tell from the logs is what happens after that in detail.
This requires a bit of Netmon (or Ethereal, if you swing that way) sleuthing.

Here's the bouncing ball:

** Client, he say:
GET http://www.isaserver.org/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-excel, 
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322; InfoPath.1)
Host: www.isaserver.org
Proxy-Connection: Keep-Alive

** ISA, she say:
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires 
authorization to fulfill the request. Access to the Web Proxy service is 
denied.  )
Via: 1.1 HEARTOFGOLD
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4113 

..note - the ISA in this case (as in yours, probably) logged this request as 
anonymous and responded saying that it allowed three authentication methods: 
Negotiate, Kerberos and NTLM.  These are the default auth methods for any ISA 
installation (including SBS).

** Client, he say:
GET http://www.isaserver.org/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-excel, 
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322; InfoPath.1)
Host: www.isaserver.org
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB7IIogQABAAzAAAACwALACgAAAAFASgKAAAAD0ZPUkRQUkVGRUNUSE9N
RQ==

Note that the client chose NTLM auth and passed the first part of the handshake 
in Base-64 encoding.  Not to worry, this isn't like Basic, which is base-64 
encoded plain text; this is base-64 encoded encrypted information.  ISA also 
logs this request as anonymous.

** ISA, she say:
HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
Via: 1.1 HEARTOFGOLD
Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADgAAAAFgomiWWcfZe6QNCsAAAAAAAAAALQAtABAAAAABQLODgAA
AA9IAE8ATQBFAAIACABIAE8ATQBFAAEAFgBIAEUAQQBSAFQATwBGAEcATwBMAEQABAAiAGgA
bwBtAGUALgBqAGEAbABvAGoAYQBzAGgALgBvAHIAZwADADoAaABlAGEAcgB0AG8AZgBnAG8A
bABkAC4AaABvAG0AZQAuAGoAYQBsAG8AagBhAHMAaAAuAG8AcgBnAAUAIgBoAG8AbQBlAC4A
agBhAGwAbwBqAGEAcwBoAC4AbwByAGcAAAAAAA==
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0  

Note that ISA also passed some NTLM data back to the client - this is part and 
parcel to NTLM authentication even outside of HTTP

** Client, he say:
GET http://www.isaserver.org/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, application/vnd.ms-excel, 
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 
1.1.4322; InfoPath.1)
Host: www.isaserver.org
Proxy-Connection: Keep-Alive
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAG4AAAAYABgAhgAAAAgACABIAAAACAAIAFAAAAAWABYAWAAAAAAA
AACeAAAABYKIogUBKAoAAAAPSABPAE0ARQBKAGkAbQBIAEYATwBSAEQAUABSAEUARgBFAEMA
VABunrbKxTfLxwAAAAAAAAAAAAAAAAAAAABNhP8BkKK3ZR1MXfC2h14+Q4IQaVlWRH8=


Note that the client passes the remaining part of the NTLM handshake - if ISA 
can resolve the credentials passed by the client during this process, all will 
be FD&H.

** ISA, she say:
HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 40936
Via: 1.1 HEARTOFGOLD
Date: Fri, 27 Jan 2006 05:49:15 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDCCRRSRBC=EIBLFICAIMCPFBFCEKFFKBEA; path=/
Cache-control: private

This is where access is allowed (200 response).

You should note that I haven't included anything that may have been passed in 
the HTTP body - it's not important to this discussion and only makes for an 
unweildy thread.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!


All mail to and from this domain is GFI-scanned.

Other related posts:

• » Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests
• » RE: Web Client Requests

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---