Basic authentication succeeds with invalid domain (311647)

SYMPTOMS

When you use Basic authentication and you type a valid user name and password but you type an invalid domain name, the authentication may still succeed, and you can see the page that you are trying to access.

Because Basic authentication transmits user information (user name and password) in clear text, Basic authentication should only be used over Secure Sockets Layer (SSL) connections.

CAUSE

The system call that Internet Information Services (IIS) uses to validate passwords using Basic authentication has changed behavior in Microsoft Windows Server 2003. With Microsoft Windows 2000, the system call respects the domain name, so the call does not permit the user to log on if the domain name is invalid. Under Windows Server 2003, the system call accepts any domain name. This means that authentication to an IIS server may succeed with an invalid domain name, as long as the user name and password are valid.

MORE INFORMATION

Steps to Reproduce the Behavior

In the Administrative Tools folder, open the Internet Information Services Microsoft Management Console (MMC).
Double-click the Web Sites folder.
Right-click the default Web site, and then click Properties.
Click the Directory Security tab.
Under Authentication and Access Control, click Edit.
In the Authentication Methods window, click to clear all check boxes. Select Basic authentication (password is sent in clear text). Click the OK button two times to apply these settings and return to the IIS MMC.
Open a Microsoft Internet Explorer browser window and open your Web site. When you are prompted for authentication, type invaliddomain\user as the user name, where user is a valid local user name on the IIS server. Type the password for the user account as the password. Click OK. You can see your home page, although "invaliddomain" is not a valid domain name.

Basic authentication succeeds with invalid domain (311647)

SYMPTOMS

CAUSE

STATUS

MORE INFORMATION

Steps to Reproduce the Behavior