Menu
I'm trying to implemented custom basic authentication similar to this and one thing that confuses me is a concept of realm. For example, there's a moment when my module inserts some magic string into the reply:
void ReplyWithAuthHeader()
{
HttpContext currentContext = HttpContext.Current;
context.Response.StatusCode = 401;
context.Response.AddHeader( "WWW-Authenticate",
String.Format("Basic realm=\"{0}\"", "myname.mycompany.com"));
}
The site is assigned an SSL certicicate created with makecert utility and is "issued" to "myname.mycompany.com". The caller creates a request:
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create( serverUrl );
CredentialCache cache = new CredentialCache();
cache.Add( new Uri( serverUrl ), "Basic", new NetworkCredential( "UserName", "password" ) );
request.Credentials = cache;
where serverUrl starts with https:// and when the request is being processed by the server the server sends the "WWW-Authenticate" reply, then an exception is thrown on the client side with "Unable to write data to the transport connection: An established connection was aborted by the software in your host machine." text.
So clearly there's something wrong at SSL negotiation level and I can't fugure what it is. I guess it could be something dealing with the realm.
My question is - what is a realm and how is it related to the name of the party to which an SSL certificate was issued when a connection is made over SSL?
462
An authentication realm is a grouping of authentication resources, including: An authentication server, which verifies a user's identity. The system forwards credentials submitted on a sign-in page to an authentication server.
To use Basic authentication on Internet Information Services (IIS), you must install the role service, disable Anonymous authentication for your Web site or application, and then enable Basic authentication for the site or application.
Last Updated October 8, 2022. The Basic Over SSL Authentication Scheme verifies a user identity by passing user name and password credentials to a user directory. The process is similar to Basic authentication, but the credential delivery is always done over an encrypted Secure Sockets Layer (SSL) connection.
To answer your question "what is a realm?", some copypasta from RFC 2617:
The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absoluteURI for the server whose abs_path is empty; see section 5.1.2 of [2]) of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme. Note that there may be multiple challenges with the same auth-scheme but different realms.
As to your question how it is related to your SSL certificate: it isn't. The easiest way I can think of to figure out what's going wrong, is simply by accessing the URL in your browser. You should get a pretty clear description of the problem (hostname doesn't match the certificate, untrusted CA, expired, etc.).
87
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
