Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 070915.html (Request Expert securityfocus.com Support)

Intercepting Kerberos Authenticated Web App Traffic

From: Douglas, Andrew (NZ - Wellington) <andouglas(at)deloitte.co.nz>
Date: Fri Jul 11 2003 - 08:14:33 EDT

Hi All,

Anyone had any luck successfully using an intercepting proxy (such as Exodus, WebProxy etc) on Kerberos authenticated web apps? I'm trying to get this going for an web app running on IIS 5.0 with IE 6.0 clients. The application is using a Win2k domain KDC for issuing tickets. The application works fine if you don't have a proxy turned on in the browser, but does not work at all if you do.

The Kerberos HTTP authentication process seems to do a similar sort of "handshake" as NTLM. The basic process when not using a proxy looks something like this (at a simple level):

  1. Client -> Issues Get/Post Request
  2. Server -> Sends a 401 Unauthenticated with WWW-Authenticate: Negotiate
  3. Client -> Issues Get/Post request with Authorisation: Negotiate
    *authentication string*
  4. Server -> Sends a 401 Unauthenticated with WWW-Authenticate: Negotiate
    *longer authentication string*
  5. Client -> Issues Get/Post request with Authorisation: Negotiate *longer authentication string*
  6. Server -> Sends 200 Ok

If I switch IE into using an intercepting proxy then at step 3 above IE simply complains that the user is unauthorised. I've been able to get part way into the handshake by using Exodus's excellent response interception to make sure that the additional header "Proxy-Support: Session-Based-Authentication" is supplied to the client. This gets me to step 5 above but then IE just complains that it is unable to display a page and does not issue the step 5 request.

Any thoughts would be much appreciated.

Andrew Douglas
Senior Consultant
Enterprise Risk Services
Deloitte Touche Tohmatsu


CAUTION: This e-mail and any attachment(s) contains information that is both confidential and possibly legally privileged. No reader may make any use of its content unless that use is approved by Deloitte separately in writing. Any opinion, advice or information contained in this e-mail and any attachment(s) is to be treated as interim and provisional only and for the strictly limited purpose of the recipient as communicated to us. Neither the recipient nor any other person should act upon it without our separate written authorisation of reliance. If you have received this message in error please notify us immediately and destroy this message. Thank you. Deloitte Touche Tohmatsu
Internet: www.deloitte.co.nz
Received on Fri Jul 11 17:25:10 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:53 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library