Discussion:
WinCE 6.0 Web Server Authentication
(too old to reply)
Yasutaka
2008-05-01 05:47:32 UTC
Permalink
Hello,

I am evaluating "ISAPI" and "Web Server Authentication" function of Windows
Embedded CE 6.0. Then, I meet the phenomenon that "Web Server
Authentification" does not works well.

1) I changed default HTTP server settings as bellow. I do not include "NTML"
catalog now.
[HKLM\COMM\HTTPD\]
"NTLM"=dword:0
"Basic"=dword:1
"AdminUsers="root"
2) I add the registry and ISAPI application(DLL file) to OS image.
[HKLM\COMM\HTTPD\VROOTS\/TestIsapi]
@="\\WIndows\\TestIsapi.dll"
"A"=dword:1
UserList="John;Paul"
3) WinCE image has booted, I entered password by [Control Panel]-[Password]
window.
4) We access the device by IE7. User authentication dialogue was displayed.
I specified correct user name and password, but I can not access web site.
5) I checked HTTPD log file with WebAdmin tools which is included OS. HTTPD
put out code 401(Unauthorized ERROR).
6) In case of Windows CE 5.0, it works well on same condition.

Do you have any information about this? Please advice for me.

Regards.
John Spaith [MS]
2008-05-01 16:48:09 UTC
Permalink
I think the underlying problem is
3) WinCE image has booted, I entered password by [Control Panel]-[Password]
window.

In CE 5.0 & previos, CE would call an API CheckPassword() that would tie
into the control panel password. In CE6.0 we removed this functionality.
Now you need to write an application that will call NTLMSetUserInfo()
http://msdn.microsoft.com/en-us/library/ms926215.aspx in order to create
user names and passwords.

We removed CheckPassword() just out of security concerns. It wasn't a known
exploit around it per se (except of course you cannot have user names
associated with it). We wanted to make everything go through the one
authentication path so there would be less code paths to be exploited.
--
John Spaith
Senior Software Design Engineer
Windows CE Networking
Microsoft Corporation

http://blogs.msdn.com/cenet/.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2007 Microsoft Corporation. All rights
reserved.
Post by Yasutaka
Hello,
I am evaluating "ISAPI" and "Web Server Authentication" function of Windows
Embedded CE 6.0. Then, I meet the phenomenon that "Web Server
Authentification" does not works well.
1) I changed default HTTP server settings as bellow. I do not include "NTML"
catalog now.
[HKLM\COMM\HTTPD\]
"NTLM"=dword:0
"Basic"=dword:1
"AdminUsers="root"
2) I add the registry and ISAPI application(DLL file) to OS image.
[HKLM\COMM\HTTPD\VROOTS\/TestIsapi]
@="\\WIndows\\TestIsapi.dll"
"A"=dword:1
UserList="John;Paul"
3) WinCE image has booted, I entered password by [Control
Panel]-[Password]
window.
4) We access the device by IE7. User authentication dialogue was displayed.
I specified correct user name and password, but I can not access web site.
5) I checked HTTPD log file with WebAdmin tools which is included OS.
HTTPD
put out code 401(Unauthorized ERROR).
6) In case of Windows CE 5.0, it works well on same condition.
Do you have any information about this? Please advice for me.
Regards.
Yasutaka
2008-05-02 06:02:00 UTC
Permalink
Hellow John,

I added user and password information to my device by using
NTLMSetUserInfo(), and accessed my device through web browser. I could
succeedd to login my device's HTTPD.

Thanks,

---
Yasutaka
Post by John Spaith [MS]
I think the underlying problem is
3) WinCE image has booted, I entered password by [Control Panel]-[Password]
window.
In CE 5.0 & previos, CE would call an API CheckPassword() that would tie
into the control panel password. In CE6.0 we removed this functionality.
Now you need to write an application that will call NTLMSetUserInfo()
http://msdn.microsoft.com/en-us/library/ms926215.aspx in order to create
user names and passwords.
We removed CheckPassword() just out of security concerns. It wasn't a known
exploit around it per se (except of course you cannot have user names
associated with it). We wanted to make everything go through the one
authentication path so there would be less code paths to be exploited.
--
John Spaith
Senior Software Design Engineer
Windows CE Networking
Microsoft Corporation
http://blogs.msdn.com/cenet/.
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2007 Microsoft Corporation. All rights
reserved.
Post by Yasutaka
Hello,
I am evaluating "ISAPI" and "Web Server Authentication" function of Windows
Embedded CE 6.0. Then, I meet the phenomenon that "Web Server
Authentification" does not works well.
1) I changed default HTTP server settings as bellow. I do not include "NTML"
catalog now.
[HKLM\COMM\HTTPD\]
"NTLM"=dword:0
"Basic"=dword:1
"AdminUsers="root"
2) I add the registry and ISAPI application(DLL file) to OS image.
[HKLM\COMM\HTTPD\VROOTS\/TestIsapi]
@="\\WIndows\\TestIsapi.dll"
"A"=dword:1
UserList="John;Paul"
3) WinCE image has booted, I entered password by [Control
Panel]-[Password]
window.
4) We access the device by IE7. User authentication dialogue was displayed.
I specified correct user name and password, but I can not access web site.
5) I checked HTTPD log file with WebAdmin tools which is included OS.
HTTPD
put out code 401(Unauthorized ERROR).
6) In case of Windows CE 5.0, it works well on same condition.
Do you have any information about this? Please advice for me.
Regards.
Loading...