|
Challenge/response authentication with ShotIp
What is the Challenge/response authentication
The challenge/response authentication scheme for HTTP protocol is used mainly in LANs (Intranet networks) between Windows machines.
It's a security mechanism in which a client computer uses its established user logon information to identify itself to the server computer.
It's more secured mechanism than Basic HTTP authorization, because in case of challenge/response user passwords are not passed to the server. Instead of,
the client (ShotIp component) passes to server the credentials for current process. The server prepares a portion of data (called
challenge) and sends it back to the client. The client cyphers those data using current process NT account information
and hashed password and sends data to the server. Then the server computer checks the authorization information. If that check
is successful, the client gets access to Web page content (server sends the file or runs the script).
How to use
- HTTP server
-
Remote Web server should be configured to use Challenge/response. See IIS documentation how to protect documents and scripts.
- ShotIp component
-
Possibility for challenge/response authentication is defined by shotip.ini file located in the Windows root directory.
This file is read once when the component starts, so if you change this file for server applications, like ASP, you should
restart the affected application. The Challenge_response value in the [Main] section defines the status
of challenge/response support.
[Main]
Challenge_response=[0|1|3]
If this information can not be retrieved that the default value will be zero. These values are described below.
Configuration values for shotip.ini
| Value | Means |
| 0 | Challenge/response is not supported. ShotIp does not send credentials and does not receive authorization challenge from server |
| 1 | Challenge/response is supported. However, ShotIp sends the authorization information for user account of current process only. You can not use known NT login/password pairs and domain names to authorize |
| 3 | Challenge/response is supported. In addition to sending the authorization information for user account of current process, you can use known NT login/password pairs and domain names to authorize (see below for details) |
Authentication using NT account different from current process account
There are three properties of HttpConnection ShotIp object: NTUser, NTPassword and NTDomain. You should
set all or some required properties with valid for server system values. In such case the credential of that user will be used.
Take into account that in spite of the password text is set directly into property, the password is not sent via network, in accordance
with challenge/response specification.
The Challenge_response value in the shotip.ini file should be set to 3 to use these properties.
|
|
|
Main page
