Re: Web Proxy Authentication Questions
- From: "Quillman Shawn (RBNA/CIT7)" <Shawn.Quillman@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 22 Oct 2002 07:10:50 -0500
It has more to do with the HTTP protocol specification. A client will first
send a request without including any authentication. If authentication is
required the server, www/proxy/whatever, will send back an authentication
required response (407, 12209, etc). It then depends on how the client
application is written as to what happens next. Most clients will see that
response, prompt for authentication from the user, and automatically retry
the request this time including the authentication header. MS servers and
IE do this all in the background using Integrated authentication which is
why people using MS software don't see authentication prompts sometimes.
1) The "web log" can only determine who is making the request if the client
actually sends the authentication with the request. All major browsers
remember authentication at least until the browser is closed, which is why
you don't see prompts for every request. They automatically send it with
every request that is made to that particular server.
2) If a site is denied to any request a 407 is sent, it's the browser that
controls the prompting not the server. The server just says that this
action is not allowed without specifying credentials. The browser could be
written to just return the error instead of prompting, but then you'd never
get logged in without a manual login action. Again, it's all in the HTTP
specification.
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT7
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: Greg [mailto:GregBrady@xxxxxxxxxx]
Sent: Monday, October 21, 2002 6:19 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Web Proxy Authentication Questions
http://www.ISAserver.org
To put it in simpler terms:
1) If the web logs can determine who makes the request (with outgoing
authentication), then there is no reason for a prompt, as the service knows
whose session it is.
2) If a site is denied to ANY request, why have a prompt at all? Just
return the 407 error. And for pop-ups, don't even return that.
This isn't a terrible problem, as I am now redirecting to local page. Its
more of a "why'd they do that" question.
But thank you Mark.
Greg
----- Original Message -----
From: "Mark" <marcoswelker@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, October 21, 2002 3:26 PM
Subject: [isalist] Re: Web Proxy Authentication Questions
> http://www.ISAserver.org
>
>
> >-Why do users get a logon prompt when a site is denied, but not when it
> is
> redirected?
>
> > That's exactly my question. If the site is denied, why is there a
prompt?
>
> I see it in this way: since ISA server is redirecting you to another site
> which is not denied, then it would be like if you were going to an allowed
> site in first place. So no prompt.
>
> > Outgoing web requests are authenticated -usernames are recorded in the
web logs - so the proxy service knows whose session it is. And if a site is
> denied to everyone, then a prompt adds no value anyway.
>
> > ISA is sometimes stupid. It prompts you for authentication in a hope for
a valid credential.
>
> >>-If the site&Content rules deny AnyRequest (including anonymous), then
> why
> do we get login prompts at all (there is no >>reason for the web proxy to
> require authentication for denied sites)?
>
> >Q297324 rid the recurring logon prompts when opening any allowed site,
> but
> NOT when browsing denied sites.
>
> Q297324
> "When a destination set is configured, the client receives an HTTP 407
> error for each domain that is RESTRICTED".
>
> I mean, after you modified the registry, there were no changes?
>
>
> >>-If I turn off Reject http requests from firewall and securenat clients,
> are http requests from firewall clients subject to the >>deny rules in the
> site & content rules, and if so, why no prompts?
>
> >Unfortunately, that doesn't use the web proxy service - not in the web
> log
> and no caching.
> That´s correct. Only Firewall Service.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
gregbrady@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
