Simon Fell > Its just code > IIS Auth

Saturday, June 1, 2002

I boiled the IIS authentication and persistent connections issue down to a simple test, and have seen this behavour on IIS 5.0 on W2K server w/SP2 and IIS 5.1 on XP Pro.

Create a simple HTML file foo.htm and drop it in the wwwroot\\inetpub directory, start IIS admin, expand the tree to so that you can see foo.htm, right click properties pick file security, click authentication methods, turn off everything except basic authentication and select a default domain. You will need an account called bang with a password of bang

Telnet to the server and send

GET /foo.htm HTTP/1.1
Host: localhost

you should get back a 401 response, this proves that IIS is configured for authentication only

HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.1
Date: Sun, 02 Jun 2002 05:46:39 GMT
WWW-Authenticate: Basic realm=""
Connection: close
Content-Length: 4431
Content-Type: text/html

Now, telnet again, and send

GET /foo.htm HTTP/1.1
Host: localhost
Authorization: Basic YmFuZzpiYW5n

You should get a 200 response, with the contents of your file,

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Sun, 02 Jun 2002 05:56:24 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Sun, 02 Jun 2002 05:45:22 GMT
ETag: "c98679aff89c21:9ed"
Content-Length: 54


 the connection should still be open, now send

GET /foo.htm HTTP/1.1
Host: localhost

Rather than the expected 401 authorization error, you get a 200 again, with the file contents.