IIS Authentication problem

skar · #1 (**permalink**) 07-03-2009, 08:49 AM

Hello guys,

One of our users is trying to access an website where authentication is required. We are running Astaro 7.402. The destination webserver is IIS. I tried the following:

- Surf to the site with Internet Explorer, without proxy. Authentication window appears.
- Surf to the site with Internet Explorer, with proxy. Authentication window doesn't appear.
- Surf to the site with Mozilla Firefox, without proxy. Authentication window appears.
- Surf to the site with Mozilla Firefox, with proxy. Authentication window appears.

I also sniffed the headers from the destination site.

Without proxy:

Code:

GET /x/x/index.html HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 GTB5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.x 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Fri, 03 Jul 2009 06:50:05 GMT

With proxy:

Code:

GET /x/x/index.html HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 GTB5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.x 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Fri, 03 Jul 2009 06:50:59 GMT
Content-Length: 1656
Accept-Ranges: none
Proxy-Connection: Keep-Alive

It seems that Astaro strips one of the two WWW-Authenticate arguments. Is there an solution for this problem. I tried searching the forum, but didn't find a good solution for this.

Thanks in advance,

Jasper

Kingbuzzo · #2 (**permalink**) 07-03-2009, 04:29 PM

I have a similar issue with SharePoint hosted sites using NTLM authentification but no fix.

Have you tried a bowser exception for this site?

BAlfson · #3 (**permalink**) 07-03-2009, 05:10 PM

Just to try to find the bug, does your problem go away if you restart ntlm?

var/mdw/scripts/ntlm restart

Cheers - Bob

skar · #4 (**permalink**) 07-04-2009, 03:19 PM

Sorry that I didn't mention it, but we do not need automated authentication using NTLM, but just a window which asks the login credentials. When surfing the web using Astaro, it seems that Astaro filters one of the two headers, which is the WWW-Authenticate: Negotiate argument which is probably the cause IE doesn't get what I want.

skar · #5 (**permalink**) 07-20-2009, 09:56 AM

I want to give this topic a little kick. I can imagine that i'm not the only one with this problem, or am I?

svens · #6 (**permalink**) 07-20-2009, 10:03 AM

It's intented that this header is stripped off - Using Kerberos over the HTTP Proxy is not supported.

Kingbuzzo · #7 (**permalink**) 07-20-2009, 03:40 PM

Why wouldn't they support Kerberos? How the heck are they supposed to authenticate?

Also, this problem is regarding NTLM which shouldn't be used over the internets but fails just-the-same...

gary1218 · #8 (**permalink**) 07-21-2009, 06:41 PM

This issue occurred for one of my end-users after I switched to the Astaro from Microsoft ISA server array. Suddenly a website they were maintaining would not prompt them for credentials. As it turns out the hosting company has Windows Integrated Authentication turned on on the IIS server. However, when using Firefox, you are prompted to log in. I would also like to find out the solution, because the only other solution is to reconfigure the server to provide Basic Auth over SSL (which of course would be better anyway) but we're looking at a little bit of downtime and a some extra cost for the host to rejigger the website.

Kingbuzzo · #9 (**permalink**) 07-22-2009, 03:50 PM

If that is true in my case it is still an issue as I have no control on the settings for the web server settings outside of my control.

If their website is misconfigured, we still need a way to authenticate NTLM thru proxy as the end-user will never understand why it doesn't work.

Rock -> hard place...

gary1218 · #10 (**permalink**) 07-22-2009, 04:52 PM

I did receive a reply from the web developer of our site, who put in a bogus Basic Authentication w/ SSL page up to test, and of course IE popped right up with a dialog when hitting it, so that's going to be the fix for us. NTLM was likely left enabled by the hosting company.