FIX: PassportIdentity Does Not Require Secure PIN When Security-Enhanced Authentication Is Requested

This article was previously published under Q327132
This article has been archived. It is offered "as is" and will no longer be updated.
When you use Passport authentication in Microsoft ASP.NET, you may experience the following problems:
  • The iUseSecureAuth parameter is ignored, and users are not prompted for a personal identification number (PIN) when you set the iUseSecureAuth parameter to 100 and when you call the following methods:
    • PassportIdentity.AuthUrl
    • PassportIdentity.LogoTag
    • PassportIdentity.LoginUser
  • The PassportIdentity class does not distinguish between Tweener-capable clients (such as Microsoft Internet Explorer 6) and non-Tweener-capable clients (that is, clients that do not understand the Microsoft Passport 1.4 protocol). When the client sends a Passport authentication request, the server always responds with a 302 response status. However, the server should respond with a 401 response status to Tweener-capable clients to add an extra layer of security.
This problem occurs because the PassportIdentity.AuthUrl, the PassportIdentity.LogoTag, and the PassportIdentity.LoginUser methods ignore the iUseSecureAuth = 100 parameter and use a security level of 10, which does not require a PIN.
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Microsoft .NET Framework service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

NOTE: This hotfix was recently updated. If you downloaded the hotfix before August 29, 2002, and if you receive the following error message
NullReferenceException: Object reference not set to an instance of an object
contact Microsoft Product Support Services to obtain the updated version that resolves this problem.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version         Size      File Name   --------------------------------------------------------------   31-Jul-2002  09:39  1.0.3705.299     192,512  Aspnet_isapi.dll     31-Jul-2002  09:33                    19,332  Aspnet_perf.ini   31-Jul-2002  09:39  1.0.3705.299      24,576  Aspnet_regiis.exe     31-Jul-2002  09:39  1.0.3705.299      28,672  Aspnet_wp.exe       18-Jul-2002  05:49                     8,755  Smartnav.js   21-Mar-2002  04:31                     7,003  Smartnavie5.js   31-Jul-2002  19:27  1.0.3705.299   1,187,840  System.web.dll   				

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Article ID: 327132 - Last Review: 10/26/2013 17:24:32 - Revision: 3.4

Microsoft ASP.NET 1.0

  • kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbfix kbnetframe100presp3fix kbqfe KB327132