Re: Kerberos with Windows Integrated authentication
- From: lobezno <lobezno@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 2 Jan 2009 08:43:01 -0800
OK. I do it, but one question. Wich group is this??
I'm in: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
then, I select "english\servers\windows server\security\security general"
Why it's wrong??? you URL has different contents, it's true, but I don't
know, in wich group I am.
Thanks.
"Peter Foldes" wrote:
lobezno.
You need to repost this to the following newsgroup. This is the wrong newsgroup for
this.The newsgroup is windows.server.security
On the web:
http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.server.security
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"lobezno" <lobezno@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BC6F4478-063D-431B-930E-CFEA98BE89E3@xxxxxxxxxxxxxxxx
Hi,
I need help with Kerberos and Windows integrated security.
My system is:
All the servers and clients are in the same domain with the same OS: windows
server 2003 Enterprise R2 SP2
Domain controller, IIS, Client.
Intenet Explorer 6 Sp2
I open IE 6 and request a page. The resource is protected (using Windows
Integrated Authentication, with no anonymous allowed). Login screen prompt
me. I put
a valid login and pwd, and I get the page. This is the secuence:
----------
GET /home/home.aspx HTTP/1.1\r\n
HTTP/1.1 401 Unauthorized\r\n
Kerberos AS-REQ
Kerberos AS-REP
Kerberos TGS-REQ
Kerberos TGS-REP
GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......
HTTP/1.1 200 OK\r\n
[truncated] WWW-Authenticate: Negotiate oYGfMIGcoA......
----------
Question 1: in the OK response, How IIS server generates the
WWW-Authenticate header? I thought that It should be the same value that
client sends to server
in his Authorizaztion header.
Let's follow. I press F5 and reload the page. Obiously I don't need to put
my login/pwd again and I get the same page. This is the secuence:
----------
GET /home/home.aspx HTTP/1.1\r\n
HTTP/1.1 401 Unauthorized\r\n
Kerberos AS-REQ
Kerberos AS-REP
Kerberos TGS-REQ
Kerberos TGS-REP
Question 2: Why next request, has not a Authorization header and reuse the
token? Why it needs to get a new ticket from KDC??
GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......
HTTP/1.1 200 OK\r\n
[truncated] WWW-Authenticate: Negotiate oYGfMIGcoA......
Question 3: Last request/response, has the same headers values than first.
It seems that client "reuse" the ticket. But, if this it's true, Why it needs
(AS
-REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the
client request is not directly:
GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......
----------
Any help will be gratefully.
Thanks a lot.
- Follow-Ups:
- Re: Kerberos with Windows Integrated authentication
- From: FromTheRafters
- Re: Kerberos with Windows Integrated authentication
- References:
- Kerberos with Windows Integrated authentication
- From: lobezno
- Re: Kerberos with Windows Integrated authentication
- From: Peter Foldes
- Kerberos with Windows Integrated authentication
- Prev by Date: Re: Registry cleaners - use of same.
- Next by Date: Re: Domain Admins Not Fully In Local Administrators
- Previous by thread: Re: Kerberos with Windows Integrated authentication
- Next by thread: Re: Kerberos with Windows Integrated authentication
- Index(es):
Relevant Pages
|
