Re: NTLM auth fails with websites using four part FQDN Host Header nam

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 10/13/04 

Date: Wed, 13 Oct 2004 10:24:26 +1000

Any proxy servers or other network devices between the servers and clients?

It does seem odd that this works sometimes but not others. However with NTLM
auth, it's the HTTP connection that is authenticated, and that connection
must be kept-alive from end-to-end (server to client) whilst the NTLM
authentication handshake is taking place. If there is a proxy server or
similar between the client and server that is terminating any of the
connections, your authentication will fail.

Cheers
Ken

"dwenwa@companyabc.com" <dwenwacompanyabccom@discussions.microsoft.com>
wrote in message news:E56E94E8-2861-41EA-BFA4-487F0F2873D1@microsoft.com...
> Hi,
>
> I have encountered a unique problem with IIS6, Integrated Authentication
> (IWA) and Host Headers. I manage a web farm of two production servers
> behind
> a content switch that host ASP.NET applications. I have a particular
> situation where NTLM authentication fails where the URL is
> "http://www.nicename.mycompany.com". Below I describe the symptoms. A
> three
> part FQDN refers to "nicename.mycompany.com" and a four part FQDN refers
> to
> "www.nicename.mycompany.com". Are there limitations to prefacing Host
> Headers with "www"? Or is it something to do with the four part FQDN? Or
> something else? Please help with this production problem. My users have
> a
> workaround for now with using three part FQDNs.
>
> Thanks.
>
> Dave
> =========================================
>
> SYMPTOMS: On clients running IE6 on Windows 2000 client, attempts to
> connect
> to websites with Four part FDQNs that begin with "www" fail NTLM
> authentication. If I use a three part FDQN, then the connection is
> successful. If I then attempt to connect to the server with the four part
> FDQN with "www", the connection is successful. If I close the browser,
> clear
> the cache, and attempt the four part connection, it is successful. After
> about 30 minutes, the problem recurs.
>
> On clients running IE5.5 on Windows NT4 clients, those connections are
> never
> successful to the website using the four part FDQN. They can connect
> successfully using the three part FDQN.
>
> CONFIGURATION:
> Servers are newly built with Windows 2003 Standard Edition running IIS6
> (NOT
> in Isolation Mode). They belong to the "mycompany.com" domain.
>
> The website is configured in a custom application pool called:
> ABCAppPool
>
> The website is configured with the name "ABCvmp01.mycompany.com".
> Host Headers:
> ABCvmp01.mycompany.com (port 80)
> ABCvmp01 (port 80)
> nicename.mycompany.com (port 80)
> www.nicename.mycompany.com (port 80)
> Authentication Methods:
> ANONYMOUS: disabled
> Integrated Authentication: enabled
> Basic Authentication: enabled
> Digest Authentication: disabled
> Passport Auth: disabled
> NT Folder Permissions:
> Administrators: FULL (Me)
> Interactive: List Folder
> Network: List Folder
> Network Service: Read & Execute, List Folder, Read
> System: Full
> Users: Read & Execute, List Folder, Read (Local group)
> MyGroup: All rights except FULL
> Metabase shows for this website:
> AuthFlags="AuthBasic | AuthNTLM"
>
>
> Other facts to note:
> - Both servers are on the company Intranet
> - Both servers are configured identically and behave identically.
> - Multiple websites are configured with four part FQDNs with IWA enabled,
> Basic enabled, and Anonymous disabled.
> - Symptoms occur when attempting to display an HTML document, ASP program,
> or ASP.NET application.
> - All users exhibit problem regardless of group membership (even
> Administrator has issue).
> - User accounts are "mycompany.com" domain accounts.
> - Connection attempts are successful with four part FQDN if website is
> configured with ANONYMOUS enabled.
> - Filemon only shows references to the IISHelp document for 401 help
> document after completing third login prompt.
> - No messages in any of the three Event logs. Security log doesn't even
> display failed attempts even though local policy is configured to display
> Failed Login attempts.
> - Regmon does not display any indication that the application is
> attempting
> to access the registry.
> - Ethereal and Netmon shows the following interaction (summarized):
> Client: GET / HTTP/1.1, NTLMSSP_NEGOTIATE
> Host: www.nicename.mycompany.com
> Server: HTTP/1.1 401 Unauthorized, NTLMSSP_CHALLENGE
> Server: Microsoft-IIS/6.0
> WWW-Authenticate: NTLM ...
> Client: GET / HTTP/1.1, NTLMSSP_AUTH
> Host: www.nicename.mycompany.com
> Authorization: NTLM ...
> Server: HTTP/1.1 401 Unauthorized
> Server: Microsoft-IIS/6.0
> WWW-Authenticate: NTLM
> WWW-Authenticate: Basic realm="www.nicename.mycompany.com"
> ...repeats three times before returning 401 error to user.
>
> Web log shows the following:
> 2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 2
> 2148074254
> 2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1 0
> 2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1
> 2148074248
> 2004-10-12 12:58:24 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1 0
> 2004-10-12 12:58:24 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1
> 2148074248
> 2004-10-12 12:58:26 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1 0
> 2004-10-12 12:58:26 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1
> 2148074248
> 2004-10-12 12:58:29 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1 0
> 2004-10-12 12:58:29 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1
> 2148074248
>

Relevant Pages

  • Cant send email through some wifi
    ... I use Entourage for email, and have found when I travel that I can get ... "Authentication failed because Entourage doesn't support any of the ... "You receive an error message when you connect to POP3 and SMTP servers ... server or the Simple Mail Transfer Protocol server uses NTLM ...
    (microsoft.public.mac.office.entourage)
  • Re: OT - Anyone here use SBC DSL with Free Agent?
    ... I've gotten many "authentication required" msgs as well as ... requiring authentication for use of its news servers. ...
    (rec.roller-coaster)
  • Re: Authenticating mixed clients for Internet Access
    ... user authentication with samba PDC. ... look into the winbind suite of samba and give some ACL ... but it is the Internet access control ... > Linux and NT servers. ...
    (Security-Basics)
  • Re: Anonymous access allowed internally.
    ... Authentication from the SMTP virtual servers that are not Bridgeheads (don't ... Designate specific SMTP gateways for anonymous mail submission. ...
    (microsoft.public.exchange.admin)
  • Re: Email bounce between two servers-SBSExchange 2003
    ... Outbound security button, configure Basic authentication and enter your ... "There are seldom good technological solutions to behavioral problems." ... bounce between two servers or to be forwarded between two recipients. ...
    (microsoft.public.exchange.admin)
Quantcast