|
|
You're in the
iis security
group:Kerberos, SETSPN, GET & POST
iis security:
Had been having a peculiar problem, where every request to the Web server would give an 401 error, despite using HTTP/1.1 and the same socket. Discovered that having an application pool, I would have to register it with SETSPN. And so I did. The 401 errors did go away, but a stranger problem surfaced. Now, and in the same socket, the GET requests give 200 OK, but the POST requests give 401's. When the POST is made, authorization information is given, but only regarding the workstation, and it gives back the 401. The next POST, with the correct user authorization, gets 200 OK. Every single POST gives an error first. I've tried several configurations at the browser, but with no success. Even tried IE6 & IE7. No success. Using IIS6 & IE, on XP. Is this a browser user, or maybe it be an AD problem?
Hi,
The behaviour indicates that the browser is using NTLM authentication, not Kerberos authentication You can verify this by looking in the Windows Security Event Log: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/Two-easy-_2800_easier_3F002900_-ways-to-determine-Kerberos-from-NTLM-in-a-HTTP-capture.aspx When using NTLM authentication and the browser is making a POST request, it pre-emptively sends a Type 2 authentication message (without the POSTed data). The server responds with a 401, and the browser sends a Type 3 request *with* the POSTed data.This is to avoid the sitution where a user's credentials might be potenitally invalid, and all this data is being POSTed across the wire. I would remove the SPN you registered, since that isn't having any effect. This shows how to configure Kerberos in a simple AuthN situation: http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx Cheers Ken [quoted text, click to view] <raymond_b_jimenez@yahoo.com> wrote in message
news:f6b20dfc-0458-48c3-adab-760395c2768b@t1g2000pra.googlegroups.com... >I have a web application that uses Integrated Windows Authentication. > Had been having a peculiar problem, where every request to the Web > server would give an 401 error, despite using HTTP/1.1 and the same > socket. > Discovered that having an application pool, I would have to register > it with SETSPN. And so I did. The 401 errors did go away, but a > stranger problem surfaced. > Now, and in the same socket, the GET requests give 200 OK, but the > POST requests give 401's. When the POST is made, authorization > information is given, but only regarding the workstation, and it gives > back the 401. The next POST, with the correct user authorization, gets > 200 OK. Every single POST gives an error first. > I've tried several configurations at the browser, but with no success. > Even tried IE6 & IE7. No success. Using IIS6 & IE, on XP. > Is this a browser user, or maybe it be an AD problem? > rj
The browser is using Kerberos and I have checked it through both
Wireshark and Event Log. I had set the SPN because all GET & POSTs were giving 401s. Now, the 401s have disappeared for the GETs. Now, what is strange is that the socket is working OK, only with the initial 401. But when a POST is made, the 401s reappear and the authorization has to be made again and again.
Are you using .net 1.1 or 2.0? Are you using a service account? is so have a
Can you please post your network captures? I'd like to see what is happening
on the wire. A pattern of POST 401 Domain\User <but no POST data> POST 200 Domain\User <with POST data> indicates that NTLM is being used, not Kerberos. Thanks Cheers Ken [quoted text, click to view] <raymond_b_jimenez@yahoo.com> wrote in message
news:8bb44f16-9d50-4317-b66d-99ccd2586c5d@p69g2000hsa.googlegroups.com... > The browser is using Kerberos and I have checked it through both > Wireshark and Event Log. > I had set the SPN because all GET & POSTs were giving 401s. Now, the > 401s have disappeared for the GETs. > Now, what is strange is that the socket is working OK, only with the > initial 401. But when a POST is made, the 401s reappear and the > authorization has to be made again and again. > rj
I can confirm it's NTLM. I had an idea that it was Kerberos, but the
Kerberos request is generating an error, and NTLM is therefor being used. Now, with Kerberos I get one 401 error per GET request, because the credentials being given are the application pool user, not the user using the application. POST's do go through, though. If I set the SPNs, GET's only give the initial 401's (some strange 401's appear sometimes), and the next requests are OK, with no authentication overhead. POST's give a 401 error, because the credentials being given are the machine ones. Either way, a lot of traffic is going on, and it shouldn't be. Unfortunetaly, I cannot post the network captures. Has anybody seen this type of behavior?
NTLM does not use SPNs. So setting SPNs should have no effect whatsoever.
You say you get "strange" 401s, but you don't tell us what's "strange" about these 401s You say you get 401s because 'credentials being given are the application pool user'. What credentials are being given by what to who? The user's browser never sends app pool user credentials. You were certain that Kerberos was being used, but now you say that NTLM is being used. It seems to me that you aren't really sure what you are looking at, and you don't (or can't) provide accurate details on what you are seeing. You also appear to be somewhat confused about the use of SPNs. Now, based on your rather vague description, I have posted what I /think/ is happening earlier in the thread (the behaviour seems to be what you would see with NTLM authN), and why you are seeing what you are seeing. Unless and until you can provide some actual *detailed* information about what you are seeing, I don't think anyone else can help you much - the information provided is simply too vague to provide any level of detail. Cheers Ken [quoted text, click to view] <raymond_b_jimenez@yahoo.com> wrote in message
news:53f5283e-4590-49fc-9ce0-f54d98465110@i29g2000prf.googlegroups.com... >I can confirm it's NTLM. I had an idea that it was Kerberos, but the > Kerberos request is generating an error, and NTLM is therefor being > used. > Now, with Kerberos I get one 401 error per GET request, because the > credentials being given are the application pool user, not the user > using the application. POST's do go through, though. > If I set the SPNs, GET's only give the initial 401's (some strange > 401's appear sometimes), and the next requests are OK, with no > authentication overhead. POST's give a 401 error, because the > credentials being given are the machine ones. > > Either way, a lot of traffic is going on, and it shouldn't be. > Unfortunetaly, I cannot post the network captures. > > Has anybody seen this type of behavior? > > rj
[quoted text, click to view]
> It seems to me that you aren't really sure what you are looking at, and you I'm really sure what I'm looking at:> don't (or can't) provide accurate details on what you are seeing. You also > appear to be somewhat confused about the use of SPNs. > Cheers > Ken 1-Using Kerberos, I get a 401 error for each GET request. 2-Using SETSPN, the 401's go away for the GET requests, but happen for POST requests. This happens because the Kerberos request fails and IE seems to revert to NTLM. Option 2 is better, but since the application has a lot of POSTs, there is still to many overhead. The strange 401's I've referred to are related to 401's that happen on different objects on different occasions. If I repeat the test (deleting temporary files), the errors occur in different objects/ requests... Unfortunately, I cannot provide traffic captures, because of confidentiality issues. rj
[quoted text, click to view] <raymond_b_jimenez@yahoo.com> wrote in message news:cf95139d-ec91-40e3-94c8-a297658c7231@s19g2000prg.googlegroups.com... >> It seems to me that you aren't really sure what you are looking at, and >> you >> don't (or can't) provide accurate details on what you are seeing. You >> also >> appear to be somewhat confused about the use of SPNs. >> Cheers >> Ken > I'm really sure what I'm looking at: > 1-Using Kerberos, I get a 401 error for each GET request. > 2-Using SETSPN, the 401's go away for the GET requests, but happen for > POST requests. This happens because the Kerberos request fails and IE > seems to revert to NTLM. There is no "fall back" mechanism for Kerberos -> NTLM The webserver presents a list of authN mechanisms and the client decides which to use. [quoted text, click to view] > Option 2 is better, but since the application has a lot of POSTs, > there is still to many overhead. > > The strange 401's I've referred to are related to 401's that happen on > different objects on different occasions. If I repeat the test > (deleting temporary files), the errors occur in different objects/ > requests... Unfortunately, I cannot provide traffic captures, because > of confidentiality issues. I would suggest that you contact PSS then. I have tried to explain how this should work, but your situation is obviously somewhat different. There is some other element within the mix that is changing the way your clients are behaving. But if you have confidentiality issues, then you should engage the services of a trusted party that is able to sign an NDA and who can then look at your configuratino to determine what is happening. Cheers Ken [quoted text, click to view] > rj
> >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |