Digest authentication problem (General questions)

Hi,

I have a test web server that can be accessed using either basic or digest authentication.

Access to the server is via a Proxy, and so I have setup the client componant to do automatic Proxy authentication.

On the client I then set the authentication type, username and password.

When the client connects using Basic authentication I see all the correct packets being sent / received for both the proxy and basic authentication, and the page is correctly displayed.

When I try the same test using Digest authentication everything seems to be going ok to begin with, the server asks for Digest authentication and the client automatically generates the correct responses. The problem occurs when the proxy demands authentication of the request with the digest information in it. The response back from the client contains the proxy authentication information, but no longer contains the digest responses.

It seems that the client is forgetting to include the digest responses in this case.

Is there something additional I need to do for digest compared to basic?

Thanks
Paul.

Paul,

any chance we could duplicate this? If you can give us access to your Proxy that would be really helpful. You can send info to techsupport@weonlydo.com . If we can't get access then it's going to take a while until we prepare environment here.

BTW there is a hidden DebugFile property. Can you set it to, for example, c:\debug.txt and then zip and send that file to techsupport email?

Hi guys,

I've done some more investigation.

I've removed the proxy from the equation and still have problems.

If I connect to the web server directly I see the following using a packet sniffer:

I receive a 401 response with the following digest authentication challange

WWW-Authenticate: Digest realm= dtt ,
nonce= CKCmVoj+AwA=5acdd81365dcb1bed622e5fa39fda99394be4246 ,
algorithm=MD5,
domain= /var/www/html/digest/ http://192.168.0.92/digest ,
qop= auth

I provide username and password when requested, I see a request go to the server with the following authorization header:

Authorization: Digest username= datatrack ,
realm= dtt ,
qop= auth ,
algorithm= MD5 ,
uri= /digest ,
nonce= CKCmVoj+AwA=5acdd81365dcb1bed622e5fa39fda99394be4246 ,
nc=00000001,
cnonce= 0eaea6e30cbb4541cde4e4757b3e1c05 ,
response= 128f21db62276c6318c6b56ebebc7e60

The sever then correctly returns the page for me to display.

I have also captured the output from the the HttpDLX component in the debug file:

I get a 401 response with the authentication challange

WWW-Authenticate: Digest realm= dtt ,
nonce= mGtRSoj+AwA=10a178bcdf03bb887a670df9acdbe14ac0f5aef2 ,
algorithm=MD5,
domain= /var/www/html/digest/ http://192.168.0.92/digest ,
qop= auth

the httpdlx replies with the following authorization:

Authorization: Digest username= datatrack ,
realm= dtt ,
qop= auth ,
algorithm= md5 ,
uri= /digest ,
nonce= mGtRSoj+AwA=10a178bcdf03bb887a670df9acdbe14ac0f5aef2 ,
nc= 00000002 ,
cnonce= 477852d9077dd2532cd2c15ce7388b80 ,
opaque= ,
response= 7d0900cf0168e23489fabaced6c98e76

however, instead of getting a 200 OK and the requested page you get a 401 and the who thing happens again. This then continues indefinately looping sending the response and getting back the 401.

The only real difference I can see between the messages is that the nc field is double quoted in the httpdlx message and isn't in the browser one. Could this be causing the problem???

any help would be gratefully received.

Thanks Paul.

Paul,

only difference I see is counter which is 02 in wodHttpDLX, while it's 01 in IE. THis could be related to second request being sent to the server - so where's the first one?

THere is a hidden DebugFile property you can set to, for example, C:\debug.txt . Can you do that and send me that file? ZIP it first, please, I'm on slow GPRS connection right now so make it as small as possible! Send it to techsupport@weonlydo.com, please.

If counter starts from 02 instead of 01, try changing Authentication from Automatic to Digest immediately in your code, perhaps it helps.

Kreso

Hi Kreso,

I've got a little further.

[:cool:] I've installed the latest version of the Http client and server componants, and have now got digest authentication working successfully when I do not go through our proxy.

[:sad:] Only problem I have now is that I get an authentication error when I try the same digest authentication with the proxy in the way. Seems to get sofar, then doesn't complete the proxy handshaking.

I will zip up the debug logs for both and email them too you to see if you can spot what might be causing this problem.

Thanks
Paul.

Paul,

good, that explains why it worked for me all the time :)

Make sure IE works with that proxy authentication too using digest, I've read in MSDN that ISA+Digest has some problems, so we want to make sure it's not server-side issue.

Hi,

decision has been made that the 1st release of our product won't contain Proxy support, so (for the time being) this is no longer a problem for me.

Thanks for your efforts helping me.

Regards
Paul.