|
Home > Archive > IIS Server Security > January 2005 > 401 responses with ntlm enabled
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
401 responses with ntlm enabled
|
|
| Andy Fish 2005-01-14, 7:51 am |
| Hi,
I'm using iis6 and my web app is configured for integrated windows
authentication. From a user perspective it looks fine, i.e. you log using
your windows credentials and then you can use the site.
However, looking at the IIS log, every HTTP request gets sent 3 times. the
first 2 times, the cs-username field is blank and the response is 401; the
third time the cs-username field is correct and the response is 200.
I've turned on all the fields in the web log and for the first request, the
sc-substatus is 2 and sc-win32 status is 2148074254; the second request has
sc-substatus 1 and sc-win32-status 0.
my app is asp.net but I get the same behaviour when requesting images, css
and javascript includes, so I don't think that's relevant.
TIA for any ideas
Andy
| |
| David Wang [Msft] 2005-01-15, 2:47 am |
| The sequence you observe is normal NTLM authentication negotiation.
What is not usual is that it should happen only once per authenticated user
because the authentication is per-connection. If you see the same user
repeatedly re-authenticating, it indicates that either:
1. the application is doing something that closes the connection, which
forces reauthentication
2. any network device (like proxy servers) between the server and client is
socket pooling and violating NTLM
3. if the client is running .Net Framework network classes, it could have
this behavior and there is an "unsafe" workaround that essentially breaks
authentication for performance.
4. Your server is configured to not have keep-alives
5. Something on your server is forcing the connection closed
6. the server has a bug
7. Etc
Network Monitor trace of the re-authenticated request/responses in question
need to be made in order to distinguish amongst all those possibilities. You
can install this from Windows Server 2003 CD using Add/Remove
Programs\Windows Components\Network Monitoring Tools
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Andy Fish" <ajfish@blueyonder.co.uk> wrote in message
news:OV45R7i%23EHA.1392@tk2msftngp13.phx.gbl...
Hi,
I'm using iis6 and my web app is configured for integrated windows
authentication. From a user perspective it looks fine, i.e. you log using
your windows credentials and then you can use the site.
However, looking at the IIS log, every HTTP request gets sent 3 times. the
first 2 times, the cs-username field is blank and the response is 401; the
third time the cs-username field is correct and the response is 200.
I've turned on all the fields in the web log and for the first request, the
sc-substatus is 2 and sc-win32 status is 2148074254; the second request has
sc-substatus 1 and sc-win32-status 0.
my app is asp.net but I get the same behaviour when requesting images, css
and javascript includes, so I don't think that's relevant.
TIA for any ideas
Andy
| |
| Andy Fish 2005-01-16, 5:49 pm |
| Thanks David,
can I just clarify what you mean by "connection" in this case. do you mean
the actual tcp/ip socket connection between the 2 servers?
I thought HTTP was connectionless and would re-establish a new connection
for each request.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:Oaraypt%23EHA.1408@TK2MSFTNGP10.phx.gbl...
> The sequence you observe is normal NTLM authentication negotiation.
>
> What is not usual is that it should happen only once per authenticated
> user
> because the authentication is per-connection. If you see the same user
> repeatedly re-authenticating, it indicates that either:
> 1. the application is doing something that closes the connection, which
> forces reauthentication
> 2. any network device (like proxy servers) between the server and client
> is
> socket pooling and violating NTLM
> 3. if the client is running .Net Framework network classes, it could have
> this behavior and there is an "unsafe" workaround that essentially breaks
> authentication for performance.
> 4. Your server is configured to not have keep-alives
> 5. Something on your server is forcing the connection closed
> 6. the server has a bug
> 7. Etc
>
> Network Monitor trace of the re-authenticated request/responses in
> question
> need to be made in order to distinguish amongst all those possibilities.
> You
> can install this from Windows Server 2003 CD using Add/Remove
> Programs\Windows Components\Network Monitoring Tools
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Andy Fish" <ajfish@blueyonder.co.uk> wrote in message
> news:OV45R7i%23EHA.1392@tk2msftngp13.phx.gbl...
> Hi,
>
> I'm using iis6 and my web app is configured for integrated windows
> authentication. From a user perspective it looks fine, i.e. you log using
> your windows credentials and then you can use the site.
>
> However, looking at the IIS log, every HTTP request gets sent 3 times. the
> first 2 times, the cs-username field is blank and the response is 401; the
> third time the cs-username field is correct and the response is 200.
>
> I've turned on all the fields in the web log and for the first request,
> the
> sc-substatus is 2 and sc-win32 status is 2148074254; the second request
> has
> sc-substatus 1 and sc-win32-status 0.
>
> my app is asp.net but I get the same behaviour when requesting images, css
> and javascript includes, so I don't think that's relevant.
>
> TIA for any ideas
>
> Andy
>
>
>
| |
| David Wang [Msft] 2005-01-18, 2:51 am |
| Yes, my "connection" means "TCP/IP socket connection".
I think you meant to say that "HTTP is stateless". HTTP definitely requires
a connection and says nothing about re-establishing new connections. Thus,
HTTP requests can either be sent all via one connection, or one request per
connection, or some combination of the prior two. The Web Browser/Server
mutually decides what happens.
You will need to get NetMon capture of the request(s) in question. I
suspect something is causing the originally authenticated NTLM connection to
close -- which causes the browser to re-authenticate for the subsequent
request(s).
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Andy Fish" <ajfish@blueyonder.co.uk> wrote in message
news:e6DX%23M%23%23EHA.3372@TK2MSFTNGP10.phx.gbl...
Thanks David,
can I just clarify what you mean by "connection" in this case. do you mean
the actual tcp/ip socket connection between the 2 servers?
I thought HTTP was connectionless and would re-establish a new connection
for each request.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:Oaraypt%23EHA.1408@TK2MSFTNGP10.phx.gbl...
> The sequence you observe is normal NTLM authentication negotiation.
>
> What is not usual is that it should happen only once per authenticated
> user
> because the authentication is per-connection. If you see the same user
> repeatedly re-authenticating, it indicates that either:
> 1. the application is doing something that closes the connection, which
> forces reauthentication
> 2. any network device (like proxy servers) between the server and client
> is
> socket pooling and violating NTLM
> 3. if the client is running .Net Framework network classes, it could have
> this behavior and there is an "unsafe" workaround that essentially breaks
> authentication for performance.
> 4. Your server is configured to not have keep-alives
> 5. Something on your server is forcing the connection closed
> 6. the server has a bug
> 7. Etc
>
> Network Monitor trace of the re-authenticated request/responses in
> question
> need to be made in order to distinguish amongst all those possibilities.
> You
> can install this from Windows Server 2003 CD using Add/Remove
> Programs\Windows Components\Network Monitoring Tools
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Andy Fish" <ajfish@blueyonder.co.uk> wrote in message
> news:OV45R7i%23EHA.1392@tk2msftngp13.phx.gbl...
> Hi,
>
> I'm using iis6 and my web app is configured for integrated windows
> authentication. From a user perspective it looks fine, i.e. you log using
> your windows credentials and then you can use the site.
>
> However, looking at the IIS log, every HTTP request gets sent 3 times. the
> first 2 times, the cs-username field is blank and the response is 401; the
> third time the cs-username field is correct and the response is 200.
>
> I've turned on all the fields in the web log and for the first request,
> the
> sc-substatus is 2 and sc-win32 status is 2148074254; the second request
> has
> sc-substatus 1 and sc-win32-status 0.
>
> my app is asp.net but I get the same behaviour when requesting images, css
> and javascript includes, so I don't think that's relevant.
>
> TIA for any ideas
>
> Andy
>
>
>
|
|
|
|
|