Re: Kerberos, SETSPN, GET & POST

NTLM does not use SPNs. So setting SPNs should have no effect whatsoever.

You say you get "strange" 401s, but you don't tell us what's "strange" about these 401s

You say you get 401s because 'credentials being given are the application pool user'. What credentials are being given by what to who? The user's browser never sends app pool user credentials.

You were certain that Kerberos was being used, but now you say that NTLM is being used.

It seems to me that you aren't really sure what you are looking at, and you don't (or can't) provide accurate details on what you are seeing. You also appear to be somewhat confused about the use of SPNs.

Now, based on your rather vague description, I have posted what I /think/ is happening earlier in the thread (the behaviour seems to be what you would see with NTLM authN), and why you are seeing what you are seeing. Unless and until you can provide some actual *detailed* information about what you are seeing, I don't think anyone else can help you much - the information provided is simply too vague to provide any level of detail.

Cheers
Ken

<raymond_b_jimenez@xxxxxxxxx> wrote in message news:53f5283e-4590-49fc-9ce0-f54d98465110@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I can confirm it's NTLM. I had an idea that it was Kerberos, but the
Kerberos request is generating an error, and NTLM is therefor being
used.
Now, with Kerberos I get one 401 error per GET request, because the
credentials being given are the application pool user, not the user
using the application. POST's do go through, though.
If I set the SPNs, GET's only give the initial 401's (some strange
401's appear sometimes), and the next requests are OK, with no
authentication overhead. POST's give a 401 error, because the
credentials being given are the machine ones.

Either way, a lot of traffic is going on, and it shouldn't be.
Unfortunetaly, I cannot post the network captures.

Has anybody seen this type of behavior?

rj

.

Relevant Pages

  • Re: HttpWebRequest and 401
    ... Linux machines do not support NTLM natively (though Mozilla *was* ... >> I think you're confusing authentication types. ... This class would make a call to the>>>protected site with the user's credentials on behalf of the user. ... I understand auth types, NTLM works well for> windows domain acounts, what about other OSes? ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Why unable to proxy NTLM?
    ... Windows authentication mechanisms on a web server. ... The reason I want to be able to pass through NTLM is a bit different. ... I want to enable a customised local proxy that checks whether a GET ... not attempt to send the credentials it just gives up on the request ...
    (microsoft.public.isa)
  • Re: SPNEGO NTLM / Kerberos over HTTP (aka RFC4559) confusion
    ... In our situation the Microsoft SSPI has decided that since there are ... credentials available due to an interactive logon to the same machine ... that happens to run our application it's going to send the NTLM ... That problem doesn't really have anything to do with SPNEGO. ...
    (comp.protocols.kerberos)
  • Re: calling WSS web services from Web Application
    ... I think the reason is that NTLM does not send credentials everytime, ... before you even call the web service you don't get the credentials passed to ... I can't see any way around this at the moment, other that not using NTLM, ... > account on the WSS server. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: SOLUTION FOUND!!! No more inputting credentials for RPC over HTTP Connections!!!!
    ... >;Stops Outlook from asking for user credentials when using RPC over HTTP ... >Use 3 if you have all Windows XP and 2003 computers/servers on your network. ... You need to make sure that the NTLM credentials pass through the ... Chat to your firewall chaps before ...
    (microsoft.public.exchange.setup)