IIS using Kerberos: Excessive nettwork traffic

From: ameneon (ameneon_at_gmail.com)
Date: 10/26/05

  • Next message: Tymbow: "Re: IIS 6.0, Host Headers and SSL" 
    Date: 26 Oct 2005 00:33:47 -0700

    Hi,

    We are currently switching from NTLM to kerberos on a large portal
    installation which uses the IIS for SSO purposes. This is a clustered
    solution so we've set a domain users as the owner of the IIS app pool
    and configured the SPN so it can issue tickets on the cluster address.
    We've verified that kerberos is indeed being used(kerbtray, ethereal).

    After looking at the network traffic, I can see that for each url that
    is requested a kerberos reauthentication is done.
    To examplify:
    IE sends request
      GET /images/photo.jpg HTTP/1.1
    Server answers
      HTTP 401.2 Unauthorized
      WWW-Authenticate: Negotiate
      WWW-Authenticate: Kerberos
    IE retries the request, now with kerberos ticket
      GET /images/photo.jpg HTTP/1.1
      Authorization Negotiate <KERBEROS TICKET>
    Server returns content
      HTTP 200
      <actual data>

    This is done eventhough it use the same TCP connection as the last
    request to the same server (so in this case NTLM actually performs
    better).

    Since the portal contains of many small files (and iframe), this
    actually means that the client sends more data than he received if the
    ticket is to be trusted for delegation (we've removed that now and the
    kerberos ticket size went from 6000 bytes to 2500 bytes, so that helped
    a bit).

    I've looked at the various troubleshooting guides from Microsoft on
    kerberos, but haven't really found much data for who it is performed
    over HTTP.

    Is there any way around this limitation?
    If not, is it possible to configure IE so that it sends the kerberos
    ticket on the first request, so that we avoid the extra round trip?

    Regards

  • Next message: Tymbow: "Re: IIS 6.0, Host Headers and SSL"

    Relevant Pages

    • Re: Kerberos Test Failed in Netdiag
      ... There are some problems with the newer versions of netdiag incorrectly ... Try using kerbray to make sure the kerberos ticket does exist for the ... in the child domain was an in-place upgrade of a Windows NT DC. ...
      (microsoft.public.windows.server.active_directory)
    • Re: WSE 2 and impersonation
      ... If you are looking to create an interoperable web service, ... For our particular solution, Kerberos is ... >> a Kerberos ticket that allows the Web service consumer (running on ... >> When the message is received by WSE, ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: Problems with OpenSSH and MS domain controller (using Kerberos)
      ... The support of gssapi for ssh is outline in a RFC draft ... this case kerberos ticket), then one used existing token to authenticate ... For openssh client to ...
      (comp.security.ssh)
    • Re: Fwd: NTLM vs Kerberos again
      ... IE browser can only access MS kerberos ticket cache and which can only be ... > Have you run ksetup on the client so Windows knows about Kerberos? ... >>>My problem is that windows client chooses to talk ...
      (comp.protocols.kerberos)
    • Re: Handling credentials cache on Win32 without loading krbcc32s.exe?
      ... I'm new to Kerberos, so please pardon me if I'm asking something very ... Is it possible to use the MIT Kerberos v5 library without loading ... credentials cache library to work, but is it possible to use the rest ... application itself hold the Kerberos ticket. ...
      (comp.protocols.kerberos)