Microsoft KB Archive/311647

= Basic authentication succeeds with invalid domain =

Article ID: 311647

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q311647



SYMPTOMS
When you use Basic authentication and you type a valid user name and password but you type an invalid domain name, the authentication may still succeed, and you can see the page that you are trying to access.

Because Basic authentication transmits user information (user name and password) in clear text, Basic authentication should only be used over Secure Sockets Layer (SSL) connections.



CAUSE
The system call that Internet Information Services (IIS) uses to validate passwords using Basic authentication has changed behavior in Microsoft Windows Server 2003. With Microsoft Windows 2000, the system call respects the domain name, so the call does not permit the user to log on if the domain name is invalid. Under Windows Server 2003, the system call accepts any domain name. This means that authentication to an IIS server may succeed with an invalid domain name, as long as the user name and password are valid.



STATUS
This behavior is by design.



Steps to Reproduce the Behavior

 * 1) In the Administrative Tools folder, open the Internet Information Services Microsoft Management Console (MMC).
 * 2) Double-click the Web Sites folder.
 * 3) Right-click the default Web site, and then click Properties.
 * 4) Click the Directory Security tab.
 * 5) Under Authentication and Access Control, click Edit.
 * 6) In the Authentication Methods window, click to clear all check boxes. Select Basic authentication (password is sent in clear text). Click the OK button two times to apply these settings and return to the IIS MMC.
 * 7) Open a Microsoft Internet Explorer browser window and open your Web site. When you are prompted for authentication, type invaliddomain\ as the user name, where   is a valid local user name on the IIS server. Type the password for the   account as the password. Click OK. You can see your home page, although &quot;invaliddomain&quot; is not a valid domain name.

Additional query words: BetaPublic

Keywords: kbprb KB311647

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.