RE: integrated authentication failing from remote site

From: Lisa Cozzens [MSFT] (
Date: 01/07/03

From: (Lisa Cozzens [MSFT])
Date: Tue, 07 Jan 2003 17:54:17 GMT

Hi Bruce,

Here's another good article on authentication in IIS:
Q264921 INFO: How IIS Authenticates Browser Clients;EN-US;Q264921

To help you make a little more sense of the Netmon traces, here is what you
should see in a "normal" Integrated Windows authentication session:
1. Client port x -> Server port 80: GET request, no auth information
2. Server port 80 -> Client port x: 401.2 error. Connection: close.
3. Client port y (NOTE CHANGE OF PORT) -> Server port 80: GET request.
Authorization: NTLM (followed by junk). Connection: Keep-Alive.
4. Server port 80 -> Client port y: 401.1 error. WWW-Authenticate: NTLM
(followed by junk).
5. Client port y -> Server port 80: GET request. Authorization: NTLM
(followed by junk). Connection: Keep-Alive.
6. Server port 80 -> Client port y: 200 OK

The following differences in the above sequence of events might indicate
proxy server interference:
1. Steps 1-4 are identical to above, but in step 5, the request from the
client comes from yet another port, instead of over the same ports as steps
3 and 4.
2. In a server-side trace, no Connection: Keep-Alive header from the client
in steps 3 or 5.
3. In a server-side trace, no authentication information received from the
client in steps 3 or 5.
4. In a client-side trace, no WWW-Authenticate: NTLM header received in
step 4.

Unfortunately, if third-party proxy servers are indeed interfering and
causing the problem, you don't have any choice but to use Basic
authentication. Integrated Windows Authentication was designed for an
intranet environment, where there are no proxy servers/firewalls, or at
least no proxy servers/firewalls that are not under your control. It works
great in that environment, but it doesn't work so well over the Internet.
Besides the proxy/firewall issue, you can also see that Integrated auth
requires three roundtrips *at a minimum* (it could be up to five) between
the server and the client, compared to one for anonymous authentication and
two for Basic.

What are your concerns about using Basic authentication in a production
environment? Are you concerned about password sniffing? If so, you can
always secure the site with SSL (as you're already planning to do). You
could also switch to digest authentication, which does *not* send the
password over the wire in (almost-)clear text like Basic does:
Q222028 Setting Up Digest Authentication for Use with Internet Information
Services 5.0;EN-US;Q222028

Hope this helps,

> From: Bruce Rhodewalt <>
> References: <LQ#ZzbatCHA.1340@cpmsftngxa09>
> X-Newsreader: AspNNTP 1.50 (
> Subject: RE: integrated authentication failing from remote site
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Message-ID: <#4kNOsetCHA.2640@TK2MSFTNGP11>
> Newsgroups:
> Date: Mon, 06 Jan 2003 17:21:06 -0800
> NNTP-Posting-Host:
> Lines: 1
> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP11
> Xref: cpmsftngxa09
> X-Tomcat-NG:
> Thanks to you all for your suggestions. I have confirmed that Basic
> authentication works. I have also used Netmon to compare the
> transactions that occur during a session which correctly authenticates
> (using IWA) and one which merely delivers an error to the user. The
> difference is dramatic. I'll see what I can learn from that.
> If it turns out that various proxy servers (some of which belong to ISPs
> and so are completely outside of my control) are to blame, what are my
> options? We can control the client, requiring MSIE 5.01 at least. We
> do not want to configure each client beyond requiring a minimum version.
> We will be going to SSL on the server eventually.
> I do not want to leave Basic authentication in a production environment.
> Thanks for any suggestions.
> *** Sent via Developersdex ***
> Don't just participate in USENET...get rewarded for it!

Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

2002 Microsoft Corporation. All rights reserved.

Relevant Pages

  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...