Re: Problem establishing SSL connection in code-behind
- From: gnewsgroup <gnewsgroup@xxxxxxxxx>
- Date: Fri, 4 Jan 2008 08:28:14 -0800 (PST)
On Jan 3, 7:45 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Integrated Windows Authentication is the term in IIS used to mean Windows
Negotiate authentication over HTTP (usually). Negotiate authentication is a
protocol in Windows as of Win2K that "negotiates" between Kerberos
(preferred) and NTLM (down level compatibility). It is possible to
configure IIS to only advertise for NTLM, but the default is for it to
request Negotiate when IWA is selected.
You can see exactly what your server is requesting if you do the GET in
Wfetch with anonymous auth selected and then look at the content of the
WWW-Authenticate header returned in the 401 response from the server. If it
says "Negotiate" with some other Base64 gibberish, then you know it is using
the default.
Wfetch allows you to be more granular with which protocol will actually be
used, which is helpful for some troubleshooting.
It is possible that there is a problem with Kerberos auth and not NTLM,
which might cause you to see a 401 when Negotiate is attempted instead of
NTLM. Normally, there will be an error from Kerberos in the event log from
the web server and should also be a logon failure audit in the security
event log. Wfetch will sometimes return an error code as well that can be
helpful.
A common reason why you might get a Kerberos error is if the app pool
identity in IIS is running under an account other than Network Service or
System but you are using the default machine name for the host name in your
URI and the SPN in AD is still associated with the machine account. That
will usually result in a KERB_APP_ERR_MODIFIED error. If that is the
problem, there are a number of ways to fix it.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--
OK, I tried testing it again with wfetch using Negotiate, and it
works! No more unauthorized error message, and the requested hola
amigo page displays nicely as an html text.
But in my web application, I am still getting the 401 Unauthorized
error.
.
- Follow-Ups:
- Re: Problem establishing SSL connection in code-behind
- From: Joe Kaplan
- Re: Problem establishing SSL connection in code-behind
- References:
- Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Re: Problem establishing SSL connection in code-behind
- From: Joe Kaplan
- Re: Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Re: Problem establishing SSL connection in code-behind
- From: Joe Kaplan
- Re: Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Re: Problem establishing SSL connection in code-behind
- From: Joe Kaplan
- Re: Problem establishing SSL connection in code-behind
- From: gnewsgroup
- Re: Problem establishing SSL connection in code-behind
- From: Joe Kaplan
- Problem establishing SSL connection in code-behind
- Prev by Date: Re: searching what groups a user belong from AD but errorThe Kerberos subsystem encountered an error. A service for user protocol request was made
- Next by Date: Re: Problem establishing SSL connection in code-behind
- Previous by thread: Re: Problem establishing SSL connection in code-behind
- Next by thread: Re: Problem establishing SSL connection in code-behind
- Index(es):
Relevant Pages
|
