Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Infinite loop in WinHttpReceiveResponse doing proxy authentication

114 views
Skip to first unread message

Bret Johnson

unread,
Oct 8, 2002, 11:13:11 PM10/8/02
to
The following scenario causes, for me at least, an infinite loop in
WinHttpReceiveResponse. This looks to be a WinHttp bug.

Environment:
- Using WinHttp 5.1 (same problem with 5.0, though), C API
- Requests go through a Microsoft ISA authenticated proxy server using
basic authentication

Scenario:
- Create a request that does a GET on some URL
- Call WinHttpSetCredentials, specifying credentials for NTLM (not
basic) proxy authentication
- Then do a WinHttpSendRequest and a WinHttpReceiveResponse

Result:
- WinHttpReceiveResponse goes into an infinite loop. From the log I
can see that it's doing this: the proxy sends back a 407 with the
proper "Proxy-Authenticate: Basic realm=..." header. WinHttp responds
by resending the GET, but doesn't provide any authentication header
(clearly, this seems wrong). Then another 407 comes back, WinHttp
resends the GET again, and the cycle continues. When SSL is turned
on, there's a similar infinite loop (cycling between CONNECTs with no
authentication header and 407s).

Is this a WinHttp bug? If it's not a known issue, I'd like to get it
reported.

Note that there are various reasons I want to do a
WinHttpSetCredentials for NTLM proxy authentication before sending the
request. One is that often this code will go to an NTLM authenticated
proxy. Another is that setting WINHTTP_OPTION_AUTOLOGON_POLICY to
WINHTTP_AUTOLOGON_SECURITY_LEVEL_HIGH doesn't seem to disable auto
logon to proxy servers. It seems like it should; this may be another
bug. So I provide explicit credentials so that WinHttp won't use the
process/thread security token credentials to try to authenticate.

Thanks.

Stephen Sulzer (Microsoft)

unread,
Oct 9, 2002, 8:08:27 PM10/9/02
to

Yes, this is a bug in WinHTTP. If the client sets credentials for an
authentication scheme other than the scheme specified by the first
Proxy-Authenticate header in the proxy's 407 response, then
WinHttpReceiveResponse will go into an infinite loop. In other words, the
client must use the "FirstScheme" specified by WinHttpQueryAuthSchemes.

This bug was fixed in WinHTTP 5.1 for Windows .NET Server (Release Candidate
1), so the client can use any authentication scheme the server supports. But
when a fix would be available for Windows 2000 and Windows XP platforms is
not known.

WinHTTP considers proxy servers to be trustworthy, so the
WINHTTP_AUTOLOGON_SECURITY_LEVEL_HIGH auto-logon setting does not apply to
them.


Regards,

Stephen Sulzer
Microsoft Corporation


This posting is provided "AS IS" with no warranties, and confers no rights.


"Bret Johnson" <bretaj...@yahoo.com> wrote in message
news:26fb0778.02100...@posting.google.com...

Stephen Sulzer (Microsoft)

unread,
Oct 10, 2002, 4:47:15 PM10/10/02
to
> WinHTTP considers proxy servers to be trustworthy, so the
> WINHTTP_AUTOLOGON_SECURITY_LEVEL_HIGH auto-logon setting does not apply to
> them.

Follow-up to this statement.

As part of the recent Windows security reviews, this behavior was changed
for WinHTTP 5.1 on Windows .NET Server. If the client sets the auto-logon
policy to HIGH, then WinHTTP will not auto-logon with the proxy server.

0 new messages