Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

w2ksp4.exe, WwwxxXdbf, procmail "FROM_MAILER" patch, Use of assignment to $[ is deprecated at /usr/local/sbin/apxs line 86. , wwwxxx vim, mysql closing table and opening table, 800c5000, setgid operation not permitted, pciehp: acpi_pciehprm on IBM, WWWXXX.DBF

Links

XODOX
Impressum

#1: Kerberos, SETSPN, GET & POST

Posted on 2008-01-21 22:41:28 by raymond_b_jimenez

I have a web application that uses Integrated Windows Authentication.
Had been having a peculiar problem, where every request to the Web
server would give an 401 error, despite using HTTP/1.1 and the same
socket.
Discovered that having an application pool, I would have to register
it with SETSPN. And so I did. The 401 errors did go away, but a
stranger problem surfaced.
Now, and in the same socket, the GET requests give 200 OK, but the
POST requests give 401's. When the POST is made, authorization
information is given, but only regarding the workstation, and it gives
back the 401. The next POST, with the correct user authorization, gets
200 OK. Every single POST gives an error first.
I've tried several configurations at the browser, but with no success.
Even tried IE6 & IE7. No success. Using IIS6 & IE, on XP.
Is this a browser user, or maybe it be an AD problem?
rj

Report this message

#2: Re: Kerberos, SETSPN, GET & POST

Posted on 2008-01-22 02:22:37 by Ken Schaefer

Hi,

The behaviour indicates that the browser is using NTLM authentication, not
Kerberos authentication

You can verify this by looking in the Windows Security Event Log:
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/ Two-easy-_2800_easier_3F002900_-ways-to-determine-Kerberos-f rom-NTLM-in-a-HTTP-capture.aspx

When using NTLM authentication and the browser is making a POST request, it
pre-emptively sends a Type 2 authentication message (without the POSTed
data). The server responds with a 401, and the browser sends a Type 3
request *with* the POSTed data.This is to avoid the sitution where a user's
credentials might be potenitally invalid, and all this data is being POSTed
across the wire.

I would remove the SPN you registered, since that isn't having any effect.

This shows how to configure Kerberos in a simple AuthN situation:
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx

Cheers
Ken

<raymond_b_jimenez@yahoo.com> wrote in message
news:f6b20dfc-0458-48c3-adab-760395c2768b@t1g2000pra.googleg roups.com...
>I have a web application that uses Integrated Windows Authentication.
> Had been having a peculiar problem, where every request to the Web
> server would give an 401 error, despite using HTTP/1.1 and the same
> socket.
> Discovered that having an application pool, I would have to register
> it with SETSPN. And so I did. The 401 errors did go away, but a
> stranger problem surfaced.
> Now, and in the same socket, the GET requests give 200 OK, but the
> POST requests give 401's. When the POST is made, authorization
> information is given, but only regarding the workstation, and it gives
> back the 401. The next POST, with the correct user authorization, gets
> 200 OK. Every single POST gives an error first.
> I've tried several configurations at the browser, but with no success.
> Even tried IE6 & IE7. No success. Using IIS6 & IE, on XP.
> Is this a browser user, or maybe it be an AD problem?
> rj

Report this message

#3: Re: Kerberos, SETSPN, GET & POST

Posted on 2008-01-23 01:17:01 by raymond_b_jimenez

The browser is using Kerberos and I have checked it through both
Wireshark and Event Log.
I had set the SPN because all GET & POSTs were giving 401s. Now, the
401s have disappeared for the GETs.
Now, what is strange is that the socket is working OK, only with the
initial 401. But when a POST is made, the 401s reappear and the
authorization has to be made again and again.
rj

Report this message

#4: Re: Kerberos, SETSPN, GET & POST

Posted on 2008-01-23 06:20:00 by Pom

Are you using .net 1.1 or 2.0? Are you using a service account? is so have a
look to this: http://msdn2.microsoft.com/en-us/library/ms998297.aspx

Report this message

#5: Re: Kerberos, SETSPN, GET & POST

Posted on 2008-01-23 12:49:02 by Ken Schaefer

Can you please post your network captures? I'd like to see what is happening
on the wire.

A pattern of

POST 401 Domain\User <but no POST data>
POST 200 Domain\User <with POST data>

indicates that NTLM is being used, not Kerberos.

Thanks

Cheers
Ken


<raymond_b_jimenez@yahoo.com> wrote in message
news:8bb44f16-9d50-4317-b66d-99ccd2586c5d@p69g2000hsa.google groups.com...
> The browser is using Kerberos and I have checked it through both
> Wireshark and Event Log.
> I had set the SPN because all GET & POSTs were giving 401s. Now, the
> 401s have disappeared for the GETs.
> Now, what is strange is that the socket is working OK, only with the
> initial 401. But when a POST is made, the 401s reappear and the
> authorization has to be made again and again.
> rj

Report this message

#6: Re: Kerberos, SETSPN, GET & POST

Posted on 2008-01-30 22:57:10 by raymond_b_jimenez

I can confirm it's NTLM. I had an idea that it was Kerberos, but the
Kerberos request is generating an error, and NTLM is therefor being
used.
Now, with Kerberos I get one 401 error per GET request, because the
credentials being given are the application pool user, not the user
using the application. POST's do go through, though.
If I set the SPNs, GET's only give the initial 401's (some strange
401's appear sometimes), and the next requests are OK, with no
authentication overhead. POST's give a 401 error, because the
credentials being given are the machine ones.

Either way, a lot of traffic is going on, and it shouldn't be.
Unfortunetaly, I cannot post the network captures.

Has anybody seen this type of behavior?

rj

Report this message