NTLM auth fails with websites using four part FQDN Host Header nam

Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > NTLM auth fails with websites using four part FQDN Host Header nam

Last Thread Next Thread Next

NTLM auth fails with websites using four part FQDN Host Header nam

dwenwa@companyabc.com

10-16-04 02:25 AM

Hi,

I have encountered a unique problem with IIS6, Integrated Authentication
(IWA) and Host Headers.  I manage a web farm of two production servers behin
d
a content switch that host ASP.NET applications.  I have a particular
situation where NTLM authentication fails where the URL is
"http://www.nicename.mycompany.com".  Below I describe the symptoms.  A thre
e
part FQDN refers to "nicename.mycompany.com" and a four part FQDN refers to
"www.nicename.mycompany.com".  Are there limitations to prefacing Host
Headers with "www"?  Or is it something to do with the four part FQDN?  Or
something else?  Please help with this production problem.  My users have a
workaround for now with using three part FQDNs.

Thanks.

Dave
 ========================================
=

SYMPTOMS: On clients running IE6 on Windows 2000 client, attempts to connect
to websites with Four part FDQNs that begin with "www" fail NTLM
authentication.  If I use a three part FDQN, then the connection is
successful.  If I then attempt to connect to the server with the four part
FDQN with "www", the connection is successful.  If I close the browser, clea
r
the cache, and attempt the four part connection, it is successful.  After
about 30 minutes, the problem recurs.

On clients running IE5.5 on Windows NT4 clients, those connections are never
successful to the website using the four part FDQN.  They can connect
successfully using the three part FDQN.

CONFIGURATION:
Servers are newly built with Windows 2003 Standard Edition running IIS6 (NOT
in Isolation Mode).  They belong to the "mycompany.com" domain.

The website is configured in a custom application pool called:
ABCAppPool

The website is configured with the name "ABCvmp01.mycompany.com".
Host Headers:
ABCvmp01.mycompany.com (port 80)
ABCvmp01 (port 80)
nicename.mycompany.com (port 80)
www.nicename.mycompany.com (port 80)
Authentication Methods:
ANONYMOUS: disabled
Integrated Authentication: enabled
Basic Authentication: enabled
Digest Authentication: disabled
Passport Auth: disabled
NT Folder Permissions:
Administrators:		FULL	(Me)
Interactive:		List Folder
Network:		List Folder
Network Service:	Read & Execute, List Folder, Read
System:			Full
Users:			Read & Execute, List Folder, Read (Local group)
MyGroup:		All rights except FULL
Metabase shows for this website:
AuthFlags="AuthBasic | AuthNTLM"


Other facts to note:
- Both servers are on the company Intranet
- Both servers are configured identically and behave identically.
- Multiple websites are configured with four part FQDNs with IWA enabled,
Basic enabled, and Anonymous disabled.
- Symptoms occur when attempting to display an HTML document, ASP program,
or ASP.NET application.
- All users exhibit problem regardless of group membership (even
Administrator has issue).
- User accounts are "mycompany.com" domain accounts.
- Connection attempts are successful with four part FQDN if website is
configured with ANONYMOUS enabled.
- Filemon only shows references to the IISHelp document for 401 help
document after completing third login prompt.
- No messages in any of the three Event logs.  Security log doesn't even
display failed attempts even though local policy is configured to display
Failed Login attempts.
- Regmon does not display any indication that the application is attempting
to access the registry.
- Ethereal and Netmon shows the following interaction (summarized):
Client:	GET / HTTP/1.1, NTLMSSP_NEGOTIATE
Host: www.nicename.mycompany.com
Server: HTTP/1.1 401 Unauthorized, NTLMSSP_CHALLENGE
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM ...
Client: GET / HTTP/1.1, NTLMSSP_AUTH
Host: www.nicename.mycompany.com
Authorization: NTLM ...
Server: HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="www.nicename.mycompany.com"
...repeats three times before returning 401 error to user.

Web log shows the following:
2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 2
2148074254
2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 1 
0
2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 1
2148074248
2004-10-12 12:58:24 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 1 
0
2004-10-12 12:58:24 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 1
2148074248
2004-10-12 12:58:26 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 1 
0
2004-10-12 12:58:26 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 1
2148074248
2004-10-12 12:58:29 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 1 
0
2004-10-12 12:58:29 <Server IP Address> GET / - 80 - <Client IP Address>
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401 1
2148074248

[ Post a follow-up to this message ]

Re: NTLM auth fails with websites using four part FQDN Host Header nam

Ken Schaefer

10-16-04 02:25 AM

Any proxy servers or other network devices between the servers and clients?

It does seem odd that this works sometimes but not others. However with NTLM
auth, it's the HTTP connection that is authenticated, and that connection
must be kept-alive from end-to-end (server to client) whilst the NTLM
authentication handshake is taking place. If there is a proxy server or
similar between the client and server that is terminating any of the
connections, your authentication will fail.

Cheers
Ken


"dwenwa@companyabc.com" <dwenwacompanyabccom@discussions.microsoft.com>
wrote in message news:E56E94E8-2861-41EA-BFA4-487F0F2873D1@microsoft.com...
> Hi,
>
> I have encountered a unique problem with IIS6, Integrated Authentication
> (IWA) and Host Headers.  I manage a web farm of two production servers
> behind
> a content switch that host ASP.NET applications.  I have a particular
> situation where NTLM authentication fails where the URL is
> "http://www.nicename.mycompany.com".  Below I describe the symptoms.  A
> three
> part FQDN refers to "nicename.mycompany.com" and a four part FQDN refers
> to
> "www.nicename.mycompany.com".  Are there limitations to prefacing Host
> Headers with "www"?  Or is it something to do with the four part FQDN?  Or
> something else?  Please help with this production problem.  My users have
> a
> workaround for now with using three part FQDNs.
>
> Thanks.
>
> Dave
>  ========================================
=
>
> SYMPTOMS: On clients running IE6 on Windows 2000 client, attempts to
> connect
> to websites with Four part FDQNs that begin with "www" fail NTLM
> authentication.  If I use a three part FDQN, then the connection is
> successful.  If I then attempt to connect to the server with the four part
> FDQN with "www", the connection is successful.  If I close the browser,
> clear
> the cache, and attempt the four part connection, it is successful.  After
> about 30 minutes, the problem recurs.
>
> On clients running IE5.5 on Windows NT4 clients, those connections are
> never
> successful to the website using the four part FDQN.  They can connect
> successfully using the three part FDQN.
>
> CONFIGURATION:
> Servers are newly built with Windows 2003 Standard Edition running IIS6
> (NOT
> in Isolation Mode).  They belong to the "mycompany.com" domain.
>
> The website is configured in a custom application pool called:
> ABCAppPool
>
> The website is configured with the name "ABCvmp01.mycompany.com".
> Host Headers:
> ABCvmp01.mycompany.com (port 80)
> ABCvmp01 (port 80)
> nicename.mycompany.com (port 80)
> www.nicename.mycompany.com (port 80)
> Authentication Methods:
> ANONYMOUS: disabled
> Integrated Authentication: enabled
> Basic Authentication: enabled
> Digest Authentication: disabled
> Passport Auth: disabled
> NT Folder Permissions:
> Administrators: FULL (Me)
> Interactive: List Folder
> Network: List Folder
> Network Service: Read & Execute, List Folder, Read
> System: Full
> Users: Read & Execute, List Folder, Read (Local group)
> MyGroup: All rights except FULL
> Metabase shows for this website:
>                AuthFlags="AuthBasic | AuthNTLM"
>
>
> Other facts to note:
> - Both servers are on the company Intranet
> - Both servers are configured identically and behave identically.
> - Multiple websites are configured with four part FQDNs with IWA enabled,
> Basic enabled, and Anonymous disabled.
> - Symptoms occur when attempting to display an HTML document, ASP program,
> or ASP.NET application.
> - All users exhibit problem regardless of group membership (even
> Administrator has issue).
> - User accounts are "mycompany.com" domain accounts.
> - Connection attempts are successful with four part FQDN if website is
> configured with ANONYMOUS enabled.
> - Filemon only shows references to the IISHelp document for 401 help
> document after completing third login prompt.
> - No messages in any of the three Event logs.  Security log doesn't even
> display failed attempts even though local policy is configured to display
> Failed Login attempts.
> - Regmon does not display any indication that the application is
> attempting
> to access the registry.
> - Ethereal and Netmon shows the following interaction (summarized):
> Client: GET / HTTP/1.1, NTLMSSP_NEGOTIATE
> Host: www.nicename.mycompany.com
> Server: HTTP/1.1 401 Unauthorized, NTLMSSP_CHALLENGE
>  Server: Microsoft-IIS/6.0
> WWW-Authenticate: NTLM ...
> Client: GET / HTTP/1.1, NTLMSSP_AUTH
> Host: www.nicename.mycompany.com
> Authorization: NTLM ...
> Server: HTTP/1.1 401 Unauthorized
> Server: Microsoft-IIS/6.0
> WWW-Authenticate: NTLM
> WWW-Authenticate: Basic realm="www.nicename.mycompany.com"
> ...repeats three times before returning 401 error to user.
>
> Web log shows the following:
> 2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 2
> 2148074254
> 2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1 0
> 2004-10-12 12:58:17 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1
> 2148074248
> 2004-10-12 12:58:24 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1 0
> 2004-10-12 12:58:24 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1
> 2148074248
> 2004-10-12 12:58:26 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1 0
> 2004-10-12 12:58:26 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1
> 2148074248
> 2004-10-12 12:58:29 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1 0
> 2004-10-12 12:58:29 <Server IP Address> GET / - 80 - <Client IP Address>
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322) 401
> 1
> 2148074248
>

[ Post a follow-up to this message ]