The IIS Basic Authentication Problem

The Problem

Did you know that the basic authentication in IIS authenticate HTTP connections, not HTTP requests?

It is well known that Windows Integrated Authentication (NTLM and SPNEGO) authenticates HTTP connections, not each HTTP request, but it has come to my attention that this has been also applicable to HTTP basic authentication on IIS. This bug breaks most HTTP reverse proxies / intermediaries who do some kind of sharing / aggregation of backend HTTP connections.

When this bug applies to an Orenosp environment, you could see one or many of the following problems:

a non-authenticated can access protected pages.
an authenticated may see other peoples mailboxes.

In my testing, this bug does seem to have been fixed in IIS 6.0, but please read the following section.

Applicable Systems

This problem is observed by third parties with at least IIS 5.0 and IIS 5.1. I have observed this problem on IIS 5.0 but NOT on IIS 6.0. However, Microsoft KB323574 suggests that this problem is also applicable to IIS 5.0, 5.1 and 6.0. To prevent any security problems from now on Orenosp will assume that all IIS versions and all other HTTP servers as well are broken in this regard and take corrective actions.

Orenosp version 0.8.0 will include a fix to work around this problem still maintaining aggregated backend connections.

Internals

Orenosp maintains a central pool of cached backend connections to improve performance. All backend connections are stored in this pool except for connections on which Windows Integrated Authentication (NTLM/SPNEGO) activity was observed. Those NTLM/SPNEGO connections are treated differently in that they are attached to the client connection, not to the central pool.

One way to combat this bug would be for Orenosp to treat all IIS connections as NTLM/SPNEGO connections and do not cache them globally. However, doing so would kill great performance win in Orenosp. Since basic authentication is simple and clearly defined (unlike NTLM/SPNEGO authentication), Orenosp can group basic-auth'ed connections into each authenticated users and restrict reuse scope within that. In another words, Orenosp will use (server, username) pair, rather than just (server), as the cache key. This will be implemented in 0.8.0 and enabled for all basic-auth'ed backend connections. This will be effective for all kinds of backend servers, not just for IIS.

Links

BUG: Authentication Credentials for the Web Request Are Cached
http://support.microsoft.com/default.aspx?scid=kb;en-us;323574
INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/default.aspx?scid=kb;en-us;264921
---quote--- When your browser establishes a connection with a Web site by using Basic or Windows Integrated authentication, it does not fall back to Anonymous during the rest of that session with the server. If you try to connect to a Web page that is marked for Anonymous only after authenticating, you are denied. (This may or may not hold true for Netscape). ---
Discussion on www-talk@w3.org in 2002 (talks about this problem)
http://www.mail-archive.com/www-talk@w3.org/msg01254.html
NTLM Authentication Scheme for HTTP (talks about connection vs http request authentication in NTLM auth context)
http://www.innovation.ch/java/ntlm.html

Created on 2004/11/2