Allow only url forwarding source IP

3 Oct 2007 1:10 AM

kazi

I want to use an application which enables 2 factor authentication on IIS
websites i.e(http://www.phonefactor.net). Unfortunately I'm already using a
portal application which does not run on IIS but am interested to protect via
phonefactor. So far I'm able to do a workaround to apply 2 factor auth by
creating a dummy virtual website in IIS 6.0 and enable url fwding to my
portal apps after getting successful 2 factor authentication. For exp: my
virtual website in IIS is (http://portal.mycompany.com) which is used by
every client and this is protected by phonefactor.net auth, once auth done,
the url fwd to my main portal i.e "http://newportal.mycompany.com) " . This
setup works fine. The only problem is if any client directly types
"http://newportal.mycompany.com", then he will buypass the 2factor auth which
is only applicable on virtual website link. That infact creates a kind of
back door in authenetication.

I'v tried my best to sketch the scenario of this complex issue. I will be
highly grateful, if anybody can help or have any idea on how to restrict this
loop hole by not allowing user to directly load the portal website without
getting auth.

Thnx

3 Oct 2007 7:38 AM

David Wang

On Oct 2, 6:10 pm, kazi <k***@discussions.microsoft.com> wrote:
Show quoteHide quote

> I want to use an application which enables 2 factor authentication on IIS
> websites i.e(http://www.phonefactor.net). Unfortunately I'm already using a
> portal application which does not run on IIS but am interested to protect via
> phonefactor. So far I'm able to do a workaround to apply 2 factor auth by
> creating a dummy virtual website in IIS 6.0 and enable url fwding to my
> portal apps after getting successful 2 factor authentication. For exp: my
> virtual website in IIS is (http://portal.mycompany.com) which is used by
> every client and this is protected by phonefactor.net auth, once auth done,
> the url fwd to my main portal i.e "http://newportal.mycompany.com) " . This
> setup works fine. The only problem is if any client directly types
> "http://newportal.mycompany.com", then he will buypass the 2factor auth which
> is only applicable on virtual website link. That infact creates a kind of
> back door in authenetication.
>
> I'v tried my best to sketch the scenario of this complex issue. I will be
> highly grateful, if anybody can help or have any idea on how to restrict this
> loop hole by not allowing user to directly load the portal website without
> getting auth.
>
> Thnx

Can you help me understand something.

IIS is already redirecting to newportal.mycompany.com after 2-factor
authentication completes on portal.mycompany.com.

It seems the problem is that newportal.mycompany.com is unable to
restrict access to users that have authenticated at
portal.mycompany.com. That's the security backdoor you are concerned
about (actually, I consider this a flaw in your custom authentication
protocol of using two websites, not a security backdoor or loophole of
any existing application).

And since newportal.mycompany.com is not running on IIS, how does this
have anything to do with IIS?

You will need to find a way to install your 2-factor security software
onto newportal.mycompany.com. I do not see how "allow only URL
forwarding source" solves your issue because the source has nothing to
do with security.

What you need is for portal.mycompany.com to send back an unforgeable
token to the client, which presents the token to
newportal.mycompany.com as proof of authentication. Anything weaker
than that will become a loophole.

And that requires custom software on newportal.mycompany.com (not IIS
related issue) and custom software for 2-factor authentication to
return a token (not IIS related issue).

I guess I'm just confused on why your issue has anything to do with
IIS or security.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//