My fundamental question
After a COTS software upgrade, our Microsoft IIS 7.5 web server starts to unexpectedly request Basic authentication (a popup dialog box with user name and password fields) instead of the CAC SmartCard client authentication that we have configured. However, looking in all the standard places that we know to look, Basic authentication is not enabled. Same as it is on a working development server. Are there other places or methods which enable Basic authentication and which can override our set authentication schemes?
Detail
Windows 2008 Server - US Government STIGed
IIS 7.5
COTS = Serena Business Manager
We're running a COTS web application, Serena Business Manager, which we've set up to request a CAC SmartCard from the end user for authentication (client authentication). Each of our users have SmartCard readers and associated reader software installed at their workstations. This has been working fine for years.
Yesterday we attempted to upgrade our production COTS application from version 10.1.4.1 to 10.1.5.2. When a test user attempted to login after the upgrade was completed, we get an unexpected pop up dialog box with the title Authentication Required and request for username and password. This happens before the server has a chance to request a CAC SmartCard and its PIN.
When I used Google Chrome browser's Developer Tools Network tab, I saw that among the server's request headers was:
WWW-Authenticate: Basic realm="TeamTrack". TeamTrack is the original name for the COTS product. This leads me to believe that the popup auth dialog is the Microsoft IIS web server requesting "Basic" authentication.
We had to roll back the web and associated database upgrade changes.
On our development server we had previously performed this COTS upgrade successfully; with no user name/password auth request. The CAC SmartCard client auth works properly.
Why didn't we see this same failure when we upgraded our dev or test servers, you ask? Sadly our dev and test VMs are in a different hosting facility than our government hosted and managed production VM. We are not permitted to clone/duplicate a staging VM onto prod, so our prod VM does not exactly match them. We try to match configuration as best we can.
During the production upgrade process we looked for as many places that we could find for authentication settings. We found that each setting matched the development server.
On the development server I can re-create the popup user name/password dialog box behavior by disabling Anonymous authentication and enabling Basic authentication, like so:
1. Open IIS Manager and navigate to the level to be authenticated.
2. In Features Name list, double-click Authentication.
3. On the Authentication page, select Anonymous Authentication.
4. In the Actions pane, click Disable to disable Anonymous authentication.
5. On the Authentication page, select Basic Authentication.
6. In the Actions pane, click Enable to use Basic authentication with the default settings.
All the other authentication schemes in the list are Disabled.
Successful Settings
The settings which are in place for successful CAC SmartCard authentication:
A. IIS Manager > SSL settings: Require SSL is checked. On Client certificate the Require radio button is selected. (These are both set so that CAC Smart Card will be requested)
B. IIS Manager > Authentication: Anonymous auth is enabled, all other schemes disabled.
C. In the "bin" directory of the COTS software, in the Web.config XML file this is set: <authentication mode ="Windows" />
D. In the COTS software fedsvr-core-config.xml settings file, this is set:
<parameter name="AllowedPrincipalAuthenticationTypes" Type="xsd:string">CLIENT_CERT</parameter>
(BTW, in order to achieve client auth, the COTS app employs a Single Sign-on solution, which means there is multiple requests and response activity going on between client and server before the client is authenticated.)
The COTS manufacturer support has not provided substantive help on this issue.
My fundamental question again: Are there other Windows or IIS settings or methods which can enable Basic authentication so as to override the Anonymous authentication and/or client cert required authentication? Or, how might the COTS product change/override the auth settings while leaving the above list of settings as they are?
Thanks for whatever guidance you can provide.
