Re: Problem establishing SSL connection in code-behind
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 3 Jan 2008 18:45:51 -0600
Integrated Windows Authentication is the term in IIS used to mean Windows
Negotiate authentication over HTTP (usually). Negotiate authentication is a
protocol in Windows as of Win2K that "negotiates" between Kerberos
(preferred) and NTLM (down level compatibility). It is possible to
configure IIS to only advertise for NTLM, but the default is for it to
request Negotiate when IWA is selected.
You can see exactly what your server is requesting if you do the GET in
Wfetch with anonymous auth selected and then look at the content of the
WWW-Authenticate header returned in the 401 response from the server. If it
says "Negotiate" with some other Base64 gibberish, then you know it is using
the default.
Wfetch allows you to be more granular with which protocol will actually be
used, which is helpful for some troubleshooting.
It is possible that there is a problem with Kerberos auth and not NTLM,
which might cause you to see a 401 when Negotiate is attempted instead of
NTLM. Normally, there will be an error from Kerberos in the event log from
the web server and should also be a logon failure audit in the security
event log. Wfetch will sometimes return an error code as well that can be
helpful.
A common reason why you might get a Kerberos error is if the app pool
identity in IIS is running under an account other than Network Service or
System but you are using the default machine name for the host name in your
URI and the SPN in AD is still associated with the machine account. That
will usually result in a KERB_APP_ERR_MODIFIED error. If that is the
problem, there are a number of ways to fix it.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
OK, thank you. Are you suggesting that NTLM is different from
Integrated Windows Authentication? (The remote web site uses
Integrated Windows Authentication). I thought they are the same, NTLM
is only an old terminology.
I did try using Negotiate, and the result is different: It gives an
401 unauthorized message, and the hola, amigo webpage is not shown.
.
- Follow-Ups:
- Re: Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Re: Problem establishing SSL connection in code-behind
- References:
- Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Re: Problem establishing SSL connection in code-behind
- From: Joe Kaplan
- Re: Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Re: Problem establishing SSL connection in code-behind
- From: Joe Kaplan
- Re: Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Re: Problem establishing SSL connection in code-behind
- From: Joe Kaplan
- Re: Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Problem establishing SSL connection in code-behind
- Prev by Date: Re: Problem establishing SSL connection in code-behind
- Next by Date: Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Previous by thread: Re: Problem establishing SSL connection in code-behind
- Next by thread: Re: Problem establishing SSL connection in code-behind
- Index(es):
Relevant Pages
|
