I have a scenario wherein my ASP.NET MVC 3 web application hosted in IIS 7/Windows 2008 is accessing a WCF web service from another server, also hosted in IIS/Windows 2008. KCD is setup between the two servers and I have the necessary SPNs set up as well.
I have confirmed this working in IE. Using NetMon, I have also confirmed that KCD is working at the backend. My web app is running under machine account (network service) and the SPNs are setup accordingly for this machine account. The issue is when I use Safari on both my Windows and Mac OS X (Lion) machine, I am getting a 401 Unauthorized error:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.
Looking at NetMon, it is failing because the request to the WCF web service is falling back to NTLM.
Note that both Windows and Mac machines are part of our domain, and I'm using my same Windows credentials on both machines.
I know that Safari supports Kerberos authentication, but there seems to be an issue when delegating from my web app to the WCF service. Is it an issue with Safari, or with WCF?
Thanks in advance!
Update:
In Safari on Mac, when I first access the web application, I can see in Wireshark and NetMon that there is a valid Kerberos token being passed along the HTTP request (i'm not getting a 401 Unauthorized error). But when my web application tries to access the backend web service, I can see in that particular HTTP request that the token being passed along is now an NTLM token.
I'm using basicHttpBinding with TransportCredentialOnly as the security mode - I also specified in web.config the SPN identity of the backend web service's endpoint (HTTP/FQDN of backend web service server). Windows Auth is of course enabled on both IIS sites with "use kernel mode" turned on, and with useAppPoolCredentials set to true on the appHost.config of both sites. Again this is just for Safari on Mac, Firefox and Chrome are both working fine.
Check in Wireshark whether Safari sends a delegable/forwardable ticket.
Are you able to access the backend service directly? Is credential delegation on, I guess the ticket is not delegable? Safari has to request this. Firefox and IE do. The NTLM token passed is a token from your server. There is no delegation support in NTLM. There is something wrong with the target host.
Looking at the Wireshark traces, it seems that Safari is requesting for a Kerberos ticket that is not forwardable. Due to this flag, the Kerberos ticket is not forwarded / delegated to the next hop, causing the authentication to fall back to NTLM and fail.
Comparing this to the TGS request requested by IE, Firefox and Chrome, they all have a forwardable flag set.
I also tried doing a klist -F in Mac OS X to retrieve tickets that are forwardable, but Safari will still request for a separate ticket that doesn't have the forwardable flag.
Which brings me to a conclusion that Safari on Mac DOES NOT support delegation.
Related
I have been struggling with getting Windows authentication to work on IIS10 for a .Net Core API. The error I am getting is 401.2:
You are not authorized to view this page due to invalid authentication headers.
I have made the following configurations:
Only windows authentication has been enabled on the site (Anonymous is disabled)
SPNs have been created for the site and the server has been enabled for delegation.
The application pool is configured to run under a domain account
Both cURL and Postman give me the same result. Interestingly, when I make use of the SwaggerUI on the API directly, I get the expected behavior, but when making external calls (from another server), I get the 401.2 error.
Some additional content from the error is that the Logon Method and Logon User is Not Yet Determined.
How do I resolve this issue?
I was under the assumption that Postman and cURL were sending the NTLM credentials/token as a part of the request by default, but was incorrect. I had to enable Failed Request Tracing on IIS and saw that they were trying to make use of anonymous authentication. Apparently Postman does not support NTLM authentication so I made use of cURL and appended the credentials. With this I could get the authentication to work with cURL.
I am developing a web api. When I ran web api in local workstation by Visual Studio and used Fiddler or IE to consume it, all things were fine.
But if I deployed it into a remote IIS server, I get 401 error code in IE, Fiddler or client application. Even I enable Anonymous Authentication in IIS, 401 still occurs.
Could anyone give me some suggestions?
Thanks.
You can right click in the Authentification the "Anonymous Authentification" and select Edit. From there, you can assign on which credential you run the Anonymous authentification. If you set your own account, it should work (or any account that can run the web api).
I am trying to call a Sharepoint Web Service via WCF from inside a .ASHX on a different server. My code works if I run inside of Visual Studio's debug web server, but not from IIS. The working server works in various authentication modes (Kerberos, NTLM), and the non-working one doesn't work in any. I am impersonating the same user in both cases.
Using NTLM, I recorded a working session and non-working session in Wireshark. In the working one, Wireshark parses the NTLM data and reports a DOMAIN and USER NAME that I expect. In the non-working one, it shows
DOMAIN: NULL
USER NAME: NULL
I have debugged in IIS and impersonation is definitely working at the point of the service call. If I check WindowsIdentity.GetCurrent(), it's the user I expect.
If I inspect the WCF service proxy on the working and non-working servers, they look identical -- the part that deals with ClientCredentials is set to "" for Username and Password for both versions.
Any ideas on what else to check? Why would the NTLM data have DOMAIN and USER NAME set to NULL -- where does it pick that up from?
According to this:
http://support.microsoft.com/kb/207671
When IIS services an HTTP request, IIS performs impersonation so that access to resources to handle the request is limited appropriately. The impersonated security context is based on the kind of authentication performed for the request. The five different types of authentication available from IIS 4.0 are:
Authentication Type Impersonation Type
------------------------------------ ---------------------
Anonymous Access (no authentication) Network
Auto Password Synchronization is
ON (ON=default)
Anonymous Access (no authentication) IIS Clear Text
Auto Password Synchronization is OFF
Basic Authentication IIS Clear Text
NT Challenge/Response Authentication Network
Client SSL Certificate Mapping Interactive
In my case, I have a Network Token, but
Network tokens are "NOT" permitted to access network resources. (Network tokens are named so because this kind of token is traditionally created by a server when a user is authenticated across the network. To allow the server to use a network token to act as a network client and access another server is called "delegation" and is considered a possible security hole.)
The KB has many possible ways to avoid the problem
I've written a couple of asp .net HTML applications designed for use on small blackberry devices. The BB OS versions are from 4.6 to 5.0.
The sites use Windows authentication to log the user in. Is there a way to allow the user to logout of the applications so that any further revisit will prompt them for the NTLM credentials again?
Thanks,
Brian.
If you are using an MDS proxy it's that handling the NTLM authentication to the end server. You will likely be using basic authentication between the phone and proxy.
There isn't an MDS API that will tell it to re-authenticate. The best you can do via MDS is bypass authentication all together but then you will need to manage NTLM yourself:
What is the correct header value to bypass MDS HTTP authentication?
Another option is to write your own logout API on your .NET application which deletes your session cookie. That way MDS will be forced to re-negotiate NTLM at the next attempt.
note: The bypass option is available in Enterprise Server 4.1.7 and above, it's not available in the simulator.
I have a iPad application. In which I am making a proxy object using WCF data services(OData).
While initializing an object I am getting authentication required error. My service is authentication configured as windows authentication on the IIS 7.0.
Can anyone help me, How can I send windows credentials to get access of all the verbs (POST,GET,DELETE and etc.) ?
You must configure your service for anonymous access (or Basic authentication) if you want to access it from iPad. Windows authentication is only for devices which are part of your windows domain (or for local authentication).