Kerberos, SETSPN, GET & POST

Kerberos, SETSPN, GET & POST

am 21.01.2008 22:41:28 von raymond_b_jimenez

I have a web application that uses Integrated Windows Authentication.
Had been having a peculiar problem, where every request to the Web
server would give an 401 error, despite using HTTP/1.1 and the same
socket.
Discovered that having an application pool, I would have to register
it with SETSPN. And so I did. The 401 errors did go away, but a
stranger problem surfaced.
Now, and in the same socket, the GET requests give 200 OK, but the
POST requests give 401's. When the POST is made, authorization
information is given, but only regarding the workstation, and it gives
back the 401. The next POST, with the correct user authorization, gets
200 OK. Every single POST gives an error first.
I've tried several configurations at the browser, but with no success.
Even tried IE6 & IE7. No success. Using IIS6 & IE, on XP.
Is this a browser user, or maybe it be an AD problem?
rj

Re: Kerberos, SETSPN, GET & POST

am 22.01.2008 02:22:37 von Ken Schaefer

Hi,

The behaviour indicates that the browser is using NTLM authentication, not
Kerberos authentication

You can verify this by looking in the Windows Security Event Log:
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/ Two-easy-_2800_easier_3F002900_-ways-to-determine-Kerberos-f rom-NTLM-in-a-HTTP-capture.aspx

When using NTLM authentication and the browser is making a POST request, it
pre-emptively sends a Type 2 authentication message (without the POSTed
data). The server responds with a 401, and the browser sends a Type 3
request *with* the POSTed data.This is to avoid the sitution where a user's
credentials might be potenitally invalid, and all this data is being POSTed
across the wire.

I would remove the SPN you registered, since that isn't having any effect.

This shows how to configure Kerberos in a simple AuthN situation:
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx

Cheers
Ken

wrote in message
news:f6b20dfc-0458-48c3-adab-760395c2768b@t1g2000pra.googleg roups.com...
>I have a web application that uses Integrated Windows Authentication.
> Had been having a peculiar problem, where every request to the Web
> server would give an 401 error, despite using HTTP/1.1 and the same
> socket.
> Discovered that having an application pool, I would have to register
> it with SETSPN. And so I did. The 401 errors did go away, but a
> stranger problem surfaced.
> Now, and in the same socket, the GET requests give 200 OK, but the
> POST requests give 401's. When the POST is made, authorization
> information is given, but only regarding the workstation, and it gives
> back the 401. The next POST, with the correct user authorization, gets
> 200 OK. Every single POST gives an error first.
> I've tried several configurations at the browser, but with no success.
> Even tried IE6 & IE7. No success. Using IIS6 & IE, on XP.
> Is this a browser user, or maybe it be an AD problem?
> rj

Re: Kerberos, SETSPN, GET & POST

am 23.01.2008 01:17:01 von raymond_b_jimenez

The browser is using Kerberos and I have checked it through both
Wireshark and Event Log.
I had set the SPN because all GET & POSTs were giving 401s. Now, the
401s have disappeared for the GETs.
Now, what is strange is that the socket is working OK, only with the
initial 401. But when a POST is made, the 401s reappear and the
authorization has to be made again and again.
rj

Re: Kerberos, SETSPN, GET & POST

am 23.01.2008 06:20:00 von Pom

Are you using .net 1.1 or 2.0? Are you using a service account? is so have a
look to this: http://msdn2.microsoft.com/en-us/library/ms998297.aspx

Re: Kerberos, SETSPN, GET & POST

am 23.01.2008 12:49:02 von Ken Schaefer

Can you please post your network captures? I'd like to see what is happening
on the wire.

A pattern of

POST 401 Domain\User
POST 200 Domain\User

indicates that NTLM is being used, not Kerberos.

Thanks

Cheers
Ken


wrote in message
news:8bb44f16-9d50-4317-b66d-99ccd2586c5d@p69g2000hsa.google groups.com...
> The browser is using Kerberos and I have checked it through both
> Wireshark and Event Log.
> I had set the SPN because all GET & POSTs were giving 401s. Now, the
> 401s have disappeared for the GETs.
> Now, what is strange is that the socket is working OK, only with the
> initial 401. But when a POST is made, the 401s reappear and the
> authorization has to be made again and again.
> rj

Re: Kerberos, SETSPN, GET & POST

am 30.01.2008 22:57:10 von raymond_b_jimenez

I can confirm it's NTLM. I had an idea that it was Kerberos, but the
Kerberos request is generating an error, and NTLM is therefor being
used.
Now, with Kerberos I get one 401 error per GET request, because the
credentials being given are the application pool user, not the user
using the application. POST's do go through, though.
If I set the SPNs, GET's only give the initial 401's (some strange
401's appear sometimes), and the next requests are OK, with no
authentication overhead. POST's give a 401 error, because the
credentials being given are the machine ones.

Either way, a lot of traffic is going on, and it shouldn't be.
Unfortunetaly, I cannot post the network captures.

Has anybody seen this type of behavior?

rj