FIX: PassportIdentity Does Not Require Secure PIN When Security-Enhanced Authentication Is Requested
This article was previously published under Q327132
This article has been archived. It is offered "as is" and will no longer be updated.
When you use Passport authentication in Microsoft ASP.NET, you may experience the following problems:
- The iUseSecureAuth parameter is ignored, and users are not prompted for a personal identification number (PIN) when you set the iUseSecureAuth parameter to 100 and when you call the following methods:
- The PassportIdentity class does not distinguish between Tweener-capable clients (such as Microsoft Internet Explorer 6) and non-Tweener-capable clients (that is, clients that do not understand the Microsoft Passport 1.4 protocol). When the client sends a Passport authentication request, the server always responds with a 302 response status. However, the server should respond with a 401 response status to Tweener-capable clients to add an extra layer of security.
This problem occurs because the PassportIdentity.AuthUrl, the PassportIdentity.LogoTag, and the PassportIdentity.LoginUser methods ignore the iUseSecureAuth = 100 parameter and use a security level of 10, which does not require a PIN.
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Microsoft .NET Framework service pack that contains this fix.
To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
NOTE: This hotfix was recently updated. If you downloaded the hotfix before August 29, 2002, and if you receive the following error message
NullReferenceException: Object reference not set to an instance of an objectcontact Microsoft Product Support Services to obtain the updated version that resolves this problem.
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File Name -------------------------------------------------------------- 31-Jul-2002 09:39 1.0.3705.299 192,512 Aspnet_isapi.dll 31-Jul-2002 09:33 19,332 Aspnet_perf.ini 31-Jul-2002 09:39 1.0.3705.299 24,576 Aspnet_regiis.exe 31-Jul-2002 09:39 1.0.3705.299 28,672 Aspnet_wp.exe 18-Jul-2002 05:49 8,755 Smartnav.js 21-Mar-2002 04:31 7,003 Smartnavie5.js 31-Jul-2002 19:27 1.0.3705.299 1,187,840 System.web.dll
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Article ID: 327132 - Last Review: 10/26/2013 17:24:32 - Revision: 3.4
Microsoft ASP.NET 1.0
- kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbfix kbnetframe100presp3fix kbqfe KB327132