Re: IIS 6.0 Windows Authentication 401 Every Request

On May 17, 10:12 am, cgambino <cgamb...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Hello,

After reading a lot of articles, I was finally able to get Kerberos and NTLM
both working for an internal server.

I'm not sure if this is supposed to work this way, but it seems that on
every request to a page, it'll throw a 401, and then the next request
authorize the same page.

NTLM was doing this often, but not every page. Once I got Kerberos working,
it was doing it on every request.

Is there some more configuration I need to do? Is this the way that this is
intended to work? I assume that the ultimate goal is to have 1
authentication, and have that work for the rest of the session.

Any tips would be greatly appreciated!

Thanks


What you do depends on the type of 401.
- If it is 401.1, then it's probably more IIS configuration or network
issue
- If it is 401.2, then it's probably a client-side issue or network
issue
- If it is 401.3, 401.4, or 401.5, then the configuration is not with
IIS but at server-side application.


I assume that the ultimate goal is to have 1 authentication
and have that work for the rest of the session.

This assumption is mistaken. Once a resource requires authentication,
the client must prove authenticated access on every request in order
to succeed. It is up to the client to provide evidence, and the
evidence depends on the authentication protocol.

For Basic, Digest, Kerberos, and Cookie-based custom auth (such as
ASP.Net Forms auth), proof is to send over username:password in some
form (or abstracted as Kerberos ticket in Kerberos case) on every
request, and the client must remember to do that.

For NTLM, proof is continued anonymous request over the originally
authenticated connection, and the client and server must remember
that.

Tips are not really helpful because it really depends. You need to
provide more precise information on the type of 401, authentication
protocol used on the request, and whether authorization is passed on
the request (as expected) or connection maintained.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

.

Relevant Pages

  • Re: Each HTTP object being requested twice (401 then 200 responses)
    ... Authentication" and the web.config authentication setting is ... Authorized because the request was made anonymously. ... requests the same object a second time it uses kerberos; ... Kerberos tokens should not be regenerated for every request. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Each HTTP object being requested twice (401 then 200 responses)
    ... Authentication" and the web.config authentication setting is ... Authorized because the request was made anonymously. ... requests the same object a second time it uses kerberos; ... Kerberos tokens should not be regenerated for every request. ...
    (microsoft.public.inetserver.iis.security)
  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    (microsoft.public.inetserver.iis.security)
  • Re: Each HTTP object being requested twice (401 then 200 responses)
    ... Authentication" and the web.config authentication setting is ... Authorized because the request was made anonymously. ... requests the same object a second time it uses kerberos; ... Kerberos and not NTLM, which is good since that's a requirement for ...
    (microsoft.public.inetserver.iis.security)
  • Re: Kerberos with Windows Integrated authentication
    ... I need help with Kerberos and Windows integrated security. ... Domain controller, IIS, Client. ... I open IE 6 and request a page. ... has not a Authorization header and reuse the ...
    (microsoft.public.security)