Re: Kerberos, SETSPN, GET & POST

From: "Ken Schaefer" <kenREMOVE@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 29 Feb 2008 16:08:56 +1100

<raymond_b_jimenez@xxxxxxxxx> wrote in message news:cf95139d-ec91-40e3-94c8-a297658c7231@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

It seems to me that you aren't really sure what you are looking at, and you
don't (or can't) provide accurate details on what you are seeing. You also
appear to be somewhat confused about the use of SPNs.
Cheers
Ken
I'm really sure what I'm looking at:
1-Using Kerberos, I get a 401 error for each GET request.
2-Using SETSPN, the 401's go away for the GET requests, but happen for
POST requests. This happens because the Kerberos request fails and IE
seems to revert to NTLM.

There is no "fall back" mechanism for Kerberos -> NTLM

The webserver presents a list of authN mechanisms and the client decides which to use.

Option 2 is better, but since the application has a lot of POSTs,
there is still to many overhead.

The strange 401's I've referred to are related to 401's that happen on
different objects on different occasions. If I repeat the test
(deleting temporary files), the errors occur in different objects/
requests... Unfortunately, I cannot provide traffic captures, because
of confidentiality issues.

I would suggest that you contact PSS then.

I have tried to explain how this should work, but your situation is obviously somewhat different. There is some other element within the mix that is changing the way your clients are behaving. But if you have confidentiality issues, then you should engage the services of a trusted party that is able to sign an NDA and who can then look at your configuratino to determine what is happening.

Cheers
Ken

rj

References:
- Re: Kerberos, SETSPN, GET & POST
  - From: Ken Schaefer
- Re: Kerberos, SETSPN, GET & POST
  - From: raymond_b_jimenez

Prev by Date: Re: Client certificates on non-domain Server 2003
Next by Date: Re: IIS to IIS using kerberos and non-standard web port
Previous by thread: Re: Kerberos, SETSPN, GET & POST
Next by thread: Re: IIS 5.1 SSL Cetificate Missing
Index(es):
- Date
- Thread

Relevant Pages

InitializeSecurityContext() and Negotiate/Kerberos sessions
... I am using InitializeSecurityContextin a web client application in order ... send the Kerberos requests to my domain controller. ... then I see two Kerberos packet requests to my Domain controller. ...
(microsoft.public.platformsdk.security)
Re: Kerberos with Windows Integrated authentication
... I was simply pointing out that the newsgroup is accessible by going through the Web ady. ... Requests for assistance by email can not and will not be acknowledged. ... And his issue with Kerberos belongs there in the server.security group ... > Domain controller, IIS, Client. ...
(microsoft.public.security)
Re: Kerberos, SETSPN, GET & POST
... appear to be somewhat confused about the use of SPNs. ... POST requests. ... This happens because the Kerberos request fails and IE ...
(microsoft.public.inetserver.iis.security)
COM Interop + Threading + Scalability
... The Client completely denies ... The Rules Processor is implemented in VB 6 and the ASP.NET ... multiple concurrent requests for the Rules Processor. ... creates and initializes an apartment when calling a COM ...
(microsoft.public.dotnet.framework.interop)
Re: [CFT][PATCH] new scheduler policy
... "The X server uses selectto detect clients with pending input. ... executing requests from the client with the smallest file descriptor. ... Each client has a buffer which is used to read some data from the ...
(Linux-Kernel)