Advanced digest authentication works from Internet Explorer however we receive multiple authentication prompts on each GET request from fire fox

Sometime back I was working on a particular issue which was particularly interesting . They had a website that was configured to use Advanced Digest authentication from IIS , however the peculiar behaviour was that while using fire fox they received multiple authentication prompts for every GET request. Basically a click on any link or even a mere refresh on the current page was causing an authentication prompt. Where as the expected behaviour would be a single auth prompt initially to access the website , much like basic authentication. This worked just as expected on Internet Explorer :) That is when I decided to get to the bottom on this ...

 Problem Description:

  • Advanced digest Authentication not working on Firefox
  •  For every new GET request using fire fox we receive a prompts for credentials . Refreshing any page also causes an authentication prompt
  • Using IE this works as expected with only a single prompt , no additional prompt for a new request

Resolution :

Running network monitor tool to capture traffic from both IE and fire fox while browsing to the website <http://fqdn.com/cgi-bin/admin/start.exe> . Comparing the two captures for HTTP traffic we see that in case of ,

Internet Explorer:

==============

 For the first GET request there is no qop=”auth” parameter , the subsequent response looks like the following ,

Authenticate:  Digest qop="auth",algorithm=MD5-sess,nonce="c2c8c9927f93c9019bc1181dc62db3a75823ffa6be50320d30831dcfaeb753d84a2a40b5ea3f62a8",charset=utf-8,realm="cdm.oclc.org"

Here onwards every new GET request no longer carries the qop=”auth” parameter however carries an additional parameter cnonce  and nc .

 Http: Request, GET http://fqdn.com/cgi-bin/admin/start.exe , Using Digest Authorization

Ø  Authorization:  Digest username="50005admin",realm="cdm.oclc.org",nonce="c2c8c9927f93c9019bc1181dc62db3a75823ffa6be50320d30831dcfaeb753d84a2a40b5ea3f62a8",uri="/cgi-bin/admin/start.exe",cnonce="6fa7bf203f140e0bde0cfa1b62b73215",nc=00000001,algorithm=MD5-sess

Command : GET  ; URI: http://fqdn.com/cgi-bin/admin/index.exe

Ø  Authorization:  Digest username="50005admin",realm="cdm.oclc.org",nonce="c2c8c9927f93c9019bc1181dc62db3a75823ffa6be50320d30831dcfaeb753d84a2a40b5ea3f62a8",uri="/cgi-bin/admin/index.exe",cnonce="6fa7bf203f140e0bde0cfa1b62b73215",nc=00000002,algorithm=MD5-sess,

Command : GET ; URI: http://fqdn.com/cgi-bin/admin/collections.exe

Ø  Authorization:  Digest username="50005admin",realm="cdm.oclc.org",nonce="c2c8c9927f93c9019bc1181dc62db3a75823ffa6be50320d30831dcfaeb753d84a2a40b5ea3f62a8",uri="/cgi-bin/admin/collections.exe",cnonce="6fa7bf203f140e0bde0cfa1b62b73215",nc=00000003,algorithm=MD5

Basically the qop=”auth” is there only for the first response for all subsequent request the client sends a Client Nonce (cnonce) along with a Nonce counter (nc) since the user is already authenticated

The cnonce value is persisted and for every request only the nonce counter increments telling the server this is a new request from the same client who has been authenticated.

Mozilla Fire Fox :

=============

For the first GET request there is no qop=”auth” parameter , the subsequent response looks like the following ,

Authenticate:  Digest qop="auth",algorithm=MD5-sess,nonce="a84a4bc67c93c901b9f6606b20651d47a7c3d4a5b00f09103f3b85598472f451ea8f4818e582bdcb",charset=utf-8,realm="cdm.oclc.org"

(Till here it behaves exactly like internet explorer)

Now unlike IE every new GET request contains the qop=<Blank> and the AuthData a qop=”auth”  parameter and does not contain the client nonce (cnonce) , however there is a nc .

HTTP:Request, GET /cgi-bin/admin/start.exe , Using Digest Authorization

Ø  Authorization:  Digest username="50005admin", realm="cdm.oclc.org", nonce="a84a4bc67c93c901b9f6606b20651d47a7c3d4a5b00f09103f3b85598472f451ea8f4818e582bdcb", uri="/cgi-bin/admin/start.exe", algorithm=MD5-sess, response="17f92115fa201b3186c5a9737d777d6b", qop=

Ø  AuthData: username="50005admin", realm="cdm.oclc.org", nonce="a84a4bc67c93c901b9f6606b20651d47a7c3d4a5b00f09103f3b85598472f451ea8f4818e582bdcb", uri="/cgi-bin/admin/start.exe", algorithm=MD5-sess, response="17f92115fa201b3186c5a9737d777d6b", qop="auth", nc=00

HTTP:Request, GET /cgi-bin/admin/index.exe , Using Digest Authorization

Ø  Authorization:  Digest username="50005admin", realm="cdm.oclc.org", nonce="a84a4bc67c93c901b9f6606b20651d47a7c3d4a5b00f09103f3b85598472f451ea8f4818e582bdcb", uri="/cgi-bin/admin/index.exe", algorithm=MD5-sess, response="979d6d56916877dda6620569f8f63a12", qop=

Ø  AuthData: username="50005admin", realm="cdm.oclc.org", nonce="a84a4bc67c93c901b9f6606b20651d47a7c3d4a5b00f09103f3b85598472f451ea8f4818e582bdcb", uri="/cgi-bin/admin/index.exe", algorithm=MD5-sess, response="979d6d56916877dda6620569f8f63a12", qop="auth", nc=0000

Therefore what happens here is that every GET request has a qop=”auth” section and there is no cnonce ; hence  you’ll also notice that the nonce counter (nc) never increments. As a result for every request the server fails to authenticate the client and there is a new prompt .

In short by sending a cnonce, the client could gain some assurance that its request arrived unchanged at the server. But if the qop/response/cnonce attributes got deleted by an agent in the middle, the server wouldn't know it and would just assume it was dealing with an older client. In which case, when the client eventually checks the Auth-info header's "response=" directive, the check will fail.

For information on Advanced Digest authentication follow the RFC 2069 http://en.wikipedia.org/wiki/Digest_access_authentication

2 Comments

Comments have been disabled for this content.