Re: Each HTTP object being requested twice (401 then 200 responses)

On Mar 3, 7:42 am, benny.h...@xxxxxxxxx wrote:
I'm running a .NET 1.1 app on IIS6 with keep-alives and Session state
enabled.  Directory Security is set to only allow "Integrated Windows
Authentication" and the web.config authentication setting is
"windows".  The web pages load fine and the client is correctly
passing the current user's credentials behind the scenes as they
should... almost.

When I run Fiddler on my IE7 browser I see that every object on the
page is requested twice.  The first one fails with a 401-Not
Authorized because the request was made anonymously.  When the browser
requests the same object a second time it uses kerberos; "Negotiate"
with a HUGE token, which in my experience indicates that SSPI choose
Kerberos and not NTLM, which is good since that's a requirement for
our configuration (we have to delegate the credentials all the way
through an n-tiered architecture).

The problem is that every single object is authenticating essencially
from scratch so each page and each object within a page is requested
twice and each second request has a HUGE payload in the header because
of the kerberos overhead.  The second request is always succeeding so
user thinks everything is fine (overall performance of server stinks
though and I think this is why - it's processing between 1-2 requests/
sec).

As a contrast to that, when I goto the Advanced tab in my IE7 browser
and uncheck "Enable Integrated Windows Authentication" (essentially
forcing my browser to use NTLM instead of Kerberos) then the page and
its objects are requested more correctly (the first page is rejected
and tries against passing NTLM token then all other subsequent objects
pass a session ID cookie and therefore succeed the first time.  I
would call this the fix/workaround only, like I said, my customer's
requirements dictate that Kerberos be used instead of NTLM.

Anyone know how to make Kerberos behave more like NTLM in this way:
IE requests page anonymously and gets a 401 response, then makes same
request authenticating with Kerberos and gets a 200 response.  THEN,
every other subsequent request tied to that session successfully gets
objects back the first time with kerberos credentials being passed so
they are only requested once and don't reauthenticate every single
request (which creates overhead in communicating with the domain
controller, etc, etc, etc).

One thing I noticed is that when I force NTLM the Cookie is of this
form:

Cookie: ASPSESSIONIDCCADBTCD=DKHBKJACBEAIGBBJAKAJJBKD

And when Kerberos is used the Cookie is of this form:

Cookie: ASP.NET_SessionId=yuwpra55mlvefl45srf5mbed

Ring any bells?
Benny
benny period hauk - gmail



http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/b0b4ec5c-74f8-43e9-ac64-d8b852568341.mspx?mfr=true

Due to the nature of Kerberos, you will *never* be able to avoid that
huge payload on every request. You can minimize the size of that
payload by minimizing the group membership of the user involved, but
the payload (i.e. ticket) has to be present on every request because
that is the authentication proof. Alternatively, NTLM uses the TCP
connection as the authentication proof. Inherent in all designs, each
mechanism of maintaining authentication proof has its benefits and
drawbacks.

Now, that ticket is supposed to be cached by the client and
automatically sent on the requests without re-authenticating, so you
have to look at the client as to why it is reauthenticating.

FYI: You cannot make Kerberos behave more like NTLM. I recommend you
read and understand how existing authentication protocols work because
when you do, you will see the problems with what you request. Please
explain how you plan to maintain an authenticated Kerberos "Session"
that is secured against spoofs, replay attacks, and DoS.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

Relevant Pages

  • Re: Each HTTP object being requested twice (401 then 200 responses)
    ... Authentication" and the web.config authentication setting is ... Authorized because the request was made anonymously. ... requests the same object a second time it uses kerberos; ... Kerberos tokens should not be regenerated for every request. ...
    (microsoft.public.inetserver.iis.security)
  • RE: HttpWebRequest over Https Via Proxy Fails using NTLM
    ... The proxy authentication header returns Basic, NTLM, and Negotiate. ... A network trace shows that the https request handshake is as follows: ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Each HTTP object being requested twice (401 then 200 responses)
    ... Authentication" and the web.config authentication setting is ... Authorized because the request was made anonymously. ... requests the same object a second time it uses kerberos; ... Kerberos tokens should not be regenerated for every request. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Each HTTP object being requested twice (401 then 200 responses)
    ... Authentication" and the web.config authentication setting is ... Authorized because the request was made anonymously. ... requests the same object a second time it uses kerberos; ... pass a session ID cookie and therefore succeed the first time. ...
    (microsoft.public.inetserver.iis.security)