Microsoft KB Archive/327132

= FIX: PassportIdentity Does Not Require Secure PIN When Security-Enhanced Authentication Is Requested =

Article ID: 327132

Article Last Modified on 10/11/2005

-

APPLIES TO


 * Microsoft ASP.NET 1.0

-



This article was previously published under Q327132



SYMPTOMS
When you use Passport authentication in Microsoft ASP.NET, you may experience the following problems:
 * The iUseSecureAuth parameter is ignored, and users are not prompted for a personal identification number (PIN) when you set the iUseSecureAuth parameter to 100 and when you call the following methods:
 * PassportIdentity.AuthUrl
 * PassportIdentity.LogoTag
 * PassportIdentity.LoginUser
 * The PassportIdentity class does not distinguish between Tweener-capable clients (such as Microsoft Internet Explorer 6) and non-Tweener-capable clients (that is, clients that do not understand the Microsoft Passport 1.4 protocol). When the client sends a Passport authentication request, the server always responds with a 302 response status. However, the server should respond with a 401 response status to Tweener-capable clients to add an extra layer of security.



CAUSE
This problem occurs because the PassportIdentity.AuthUrl, the PassportIdentity.LogoTag, and the PassportIdentity.LoginUser methods ignore the iUseSecureAuth = 100 parameter and use a security level of 10, which does not require a PIN.



RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Microsoft .NET Framework service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

NOTE: This hotfix was recently updated. If you downloaded the hotfix before August 29, 2002, and if you receive the following error message

NullReferenceException: Object reference not set to an instance of an object

contact Microsoft Product Support Services to obtain the updated version that resolves this problem.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version         Size      File Name --  31-Jul-2002  09:39  1.0.3705.299     192,512  Aspnet_isapi.dll 31-Jul-2002 09:33                    19,332  Aspnet_perf.ini 31-Jul-2002 09:39  1.0.3705.299      24,576  Aspnet_regiis.exe 31-Jul-2002 09:39  1.0.3705.299      28,672  Aspnet_wp.exe 18-Jul-2002 05:49                     8,755  Smartnav.js   21-Mar-2002  04:31                     7,003  Smartnavie5.js   31-Jul-2002  19:27  1.0.3705.299   1,187,840  System.web.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbbug kbfix kbqfe kbnetframe100presp3fix kbhotfixserver KB327132

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.