Re: IIS 5.0 with Integrated Window Authentication

From: cc_mofo@hushmail.com
Date: Thu Nov 07 2002 - 16:25:56 EST

• Next message: Michael Howard: "RE: IIS 5.0 with Integrated Window Authentication"
• Previous message: Haroon Meer: "Re: IIS 5.0 with Integrated Window Authentication"
• Maybe in reply to: cc_mofo@hushmail.com: "IIS 5.0 with Integrated Window Authentication"
• Next in thread: Michael Howard: "RE: IIS 5.0 with Integrated Window Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

Thanks to everyone for the responses. I've gotten APS up and running and it works as advertised, i.e. perfectly. It does of course require that any tool that I use have proxy support (whisker just got proxy support with 2.0, and even then I don't have it working against APS yet).

I understand WebInspect might work, so I will try it once their license squad finishes working me over.

I'll take another look at SPIKE proxy for this at some point---last time I wound up in the weeds (code weeds, that is) trying to track down why/where it didn't work.

On Thu, 07 Nov 2002 11:35:23 -0800 Dave Aitel <dave@immunitysec.com> wrote:
>Hmm. My basterdized SPIKE Proxy NTLM auth does, in fact, work through
>the proxy though.
>
>Client->SPIKE Proxy->Server
>
>Where Client is sending Proxy-Authorization, and SPIKE Proxy is
>translating that into Authorization: and sending it to the server
>and so
>on. I get access on IIS 5.0, at least.
>
>
>-dave
>
>On Wed, 6 Nov 2002 23:27:54 +0100
>Sebastian Flothow <sebastian@flothow.de> wrote:
>
>> > The goofy three-message exchange that sets up the NTLM security
>> > doesn't seem to make it through the proxy,
>>
>> AFAIK, NTLM _can_ _not_ work through proxies, by design. It seems
>it
>> includes the client's IP address, which then doesn't match that
>of the
>>
>> proxy (which is the client from the server's point of view), or
>
>> something similar.
>>
>>
>> Sebastian
>>
>> --
>> Sebastian Flothow
>> sebastian@flothow.de
>> #include <stddisclaimer.h>
>>
>>
>
>
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj3K2l4VHGNjX21vZm9AaHVzaG1haWwuY29tAAoJEDsVajchvitlG1UA
n3OnlWLqIPN1J6P7C7wSmyE+ar1oAKC3pdzrRnmMiNUI9p+by7xyLHJuNA==
=cZMw
-----END PGP SIGNATURE-----

Get your free encrypted email at https://www.hushmail.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Michael Howard: "RE: IIS 5.0 with Integrated Window Authentication"
• Previous message: Haroon Meer: "Re: IIS 5.0 with Integrated Window Authentication"
• Maybe in reply to: cc_mofo@hushmail.com: "IIS 5.0 with Integrated Window Authentication"
• Next in thread: Michael Howard: "RE: IIS 5.0 with Integrated Window Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT