|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS authentication (kerberos and Integrated security)I need help with Kerberos and Windows integrated security. My system is: All the servers and clients are in the same domain with the same OS: windows server 2003 Enterprise R2 SP2 Domain controller, IIS, Client. Intenet Explorer 6 Sp2 I open IE 6 and request a page. The resource is protected (using Windows Integrated Authentication, with no anonymous allowed). Login screen prompt me. I put a valid login and pwd, and I get the page. This is the secuence: ---------- GET /home/home.aspx HTTP/1.1\r\n HTTP/1.1 401 Unauthorized\r\n Kerberos AS-REQ Kerberos AS-REP Kerberos TGS-REQ Kerberos TGS-REP GET /home/home.aspx HTTP/1.1\r\n [truncated] Authorization: Negotiate YIIEnQYGKw...... HTTP/1.1 200 OK\r\n [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... ---------- Question 1: in the OK response, How IIS server generates the WWW-Authenticate header? I thought that It should be the same value that client sends to server in his Authorizaztion header. Let's follow. I press F5 and reload the page. Obiously I don't need to put my login/pwd again and I get the same page. This is the secuence: ---------- GET /home/home.aspx HTTP/1.1\r\n HTTP/1.1 401 Unauthorized\r\n Kerberos AS-REQ Kerberos AS-REP Kerberos TGS-REQ Kerberos TGS-REP Question 2: Why next request, has not a Authorization header and reuse the token? Why it needs to get a new ticket from KDC?? GET /home/home.aspx HTTP/1.1\r\n [truncated] Authorization: Negotiate YIIEnQYGKw...... HTTP/1.1 200 OK\r\n [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... Question 3: Last request/response, has the same headers values than first. It seems that client "reuse" the ticket. But, if this it's true, Why it needs (AS -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the client request is not directly: GET /home/home.aspx HTTP/1.1\r\n [truncated] Authorization: Negotiate YIIEnQYGKw...... ---------- Any help will be gratefully. Thanks a lot. Hi,
In case you haven't solved this yet... In answer to your questions: WWW-Authenticate and Authorization: headers do not contain the same information. Most challenge/response authentication protocols rely on a challenge being issues, and the client using that to develop a response which is sent back to the server. In this case this includes the Kerberos service ticket Your second question - why is the AS and TGS stuff sent again? I don't really know. Those packets are sent by the client (e.g. browser or HTTP client) to the domain controller. In your case, the client is *not* sending the correct authorization data to the server for the second request. The server issues 401. Now it is up to client to decide what to do. Your client seems to be going to DC to get another service ticket - why, I don't know. Cheers Ken Show quoteHide quote "lobezno" <lobe***@discussions.microsoft.com> wrote in message news:9A9B207F-885C-4C50-8D46-EAE1F48E10DB@microsoft.com... > Hi, > I need help with Kerberos and Windows integrated security. > > My system is: > All the servers and clients are in the same domain with the same OS: > windows > server 2003 Enterprise R2 SP2 > Domain controller, IIS, Client. > Intenet Explorer 6 Sp2 > > I open IE 6 and request a page. The resource is protected (using Windows > Integrated Authentication, with no anonymous allowed). Login screen prompt > me. I put > > a valid login and pwd, and I get the page. This is the secuence: > ---------- > GET /home/home.aspx HTTP/1.1\r\n > HTTP/1.1 401 Unauthorized\r\n > > Kerberos AS-REQ > Kerberos AS-REP > Kerberos TGS-REQ > Kerberos TGS-REP > > GET /home/home.aspx HTTP/1.1\r\n > [truncated] Authorization: Negotiate YIIEnQYGKw...... > > HTTP/1.1 200 OK\r\n > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... > ---------- > > Question 1: in the OK response, How IIS server generates the > WWW-Authenticate header? I thought that It should be the same value that > client sends to server > > in his Authorizaztion header. > > Let's follow. I press F5 and reload the page. Obiously I don't need to put > my login/pwd again and I get the same page. This is the secuence: > ---------- > GET /home/home.aspx HTTP/1.1\r\n > HTTP/1.1 401 Unauthorized\r\n > > Kerberos AS-REQ > Kerberos AS-REP > Kerberos TGS-REQ > Kerberos TGS-REP > > Question 2: Why next request, has not a Authorization header and reuse the > token? Why it needs to get a new ticket from KDC?? > > GET /home/home.aspx HTTP/1.1\r\n > [truncated] Authorization: Negotiate YIIEnQYGKw...... > > HTTP/1.1 200 OK\r\n > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... > > Question 3: Last request/response, has the same headers values than first. > It seems that client "reuse" the ticket. But, if this it's true, Why it > needs > (AS > > -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the > client request is not directly: > GET /home/home.aspx HTTP/1.1\r\n > [truncated] Authorization: Negotiate YIIEnQYGKw...... > ---------- > > Any help will be gratefully. > Thanks a lot.  
Other interesting topics
Multiple website in single IP, host header and SSL problem
configure host name? localhost to localhost/(dir) IIS Always asking for credentials Delegation: IIS Server setup in typical 3-tier scenario. ISAPI filter with Basic Authentication and Asp.net impersonation Web Site Access requires UserID and Password - Resolved Extranet Authentication The minimum right to be granted at user to manage IIS Re: Authentication prompts with wrong domain disabling ssl v2.0 |
|||||||||||||||||||||||
