Versions Compared

Old Version 55

changes.mady.by.user Unknown User (mattlangston)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (mattlangston)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Panel
borderColor#ccc
bgColor#FFFFCE
titleBGColor#F7D6C1
titleUnauthorized User Visits Web Site
borderStyledashed

http://glast-ground.slac.stanford.edu/Image Removed

GET / HTTP/1.1
Host: glast-ground.slac.stanford.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: CFTOKEN=84811003; CFID=906

HTTP/1.x 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM
Date: Sun, 19 Dec 2004 01:23:45 GMT

...

A hash of these credentials (not the credentials themselves) is passed to the web server (the line Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=TlRMTVNTUAABAAA... in the listing below), which allows the web server to look up the user in the Windows password database and to construct a unique encrypted challenge that the browser can only decrypt with the user's unique password. The long line of characters sent by the web server to the browser (after the WWW-Authenticate: NTLM in the diagram listing below) is the encrypted challenge:

Panel
borderColor#ccc
bgColor#FFFFCE
titleBGColor#F7D6C1
titleWeb Server Challenges User
borderStyledashed

http://glast-ground.slac.stanford.edu/Image Removed

GET / HTTP/1.1
Host: glast-ground.slac.stanford.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: CFTOKEN=84811003; CFID=906
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=TlRMTVNTUAABAA...

HTTP/1.x 401 Unauthorized
Content-Length: 1539
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAACAAIADgAAAAFgokCub9Oy9DBXqAAAAAAAAAAALwAvABA
AAAABQLODgAAAA9TAEwAQQBDAAIACABTAEwAQQBDAAEADgBHAEwAQQBTAF
QAMAA1AAQAKgB3AGkAbgAuAHMAbABhAGMALgBzAHQAYQBuAGYAbwByAGQAL
gBlAGQAdQADADoAZwBsAGEAcwB0ADAANQAuAHcAaQBuAC4AcwBsAGEAYwAu
AHMAdABhAG4AZgBvAHIAZAAuAGUAZAB1AAUAKgB3AGkAbgAuAHMAbABhAGM
ALgBzAHQAYQBuAGYAbwByAGQALgBlAGQAdQAAAAAA
TlRMTVNTUAACAAAA...
Date: Sun, 19 Dec 2004 01:24:06 GMT

Back at the browser, the browser attempts to decrypt the challenge with the user's password to get the answer to the challenge, which the browser then sends to the web server as proof that the user is who they claim to be. In the diagram listing below, the string of characters after the line Authorization: NTLM is what the browser thinks the answer is. In this case, the user provided valid SLAC credentials to the browser, and the original page is served:

Panel
borderColor#ccc
bgColor#FFFFCE
titleBGColor#F7D6C1
titleBrowser Correctly Answers the Challenge and Web Server Sends Original Page
borderStyledashed

http://glast-ground.slac.stanford.edu/Image Removed

GET / HTTP/1.1
Host: glast-ground.slac.stanford.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: CFTOKEN=84811003; CFID=906
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAF4AAAAYABgAdgAAAAAAAABAAAAAEAAQAEAAAAAO
AA4AUAAAAAAAAAAAAAAABYIIAGwAYQBuAGcAcwB0AG8AbgB0AHIAaQBuAGkAdAB5AGnvMd+cF8Ap
AAAAAAAAAAAAAAAAAAAAAKR+uySl79KWtB9ldk9LLw/n1IUXoy8IeQ==TlRMTVNTUAADAAAAGA...

HTTP/1.x 200 OK
Connection: close
Date: Sun, 19 Dec 2004 01:24:08 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: JSESSIONID=98307ef1b78b$3F$B77B;path=/
Set-Cookie: CFAUTHORIZATION_glast_ground=;expires=Fri, 19-Dec-2003 01:24:08 GMT;path=/
Content-Type: text/html; charset=UTF-8

...