IIS windows authentication (NTLM)

0
votes

We are using IIS 7.5 with only windows authentication enabled. providers are ntlm and negogiate ( since we want it to be accessible via internet).

The client is silverlight calling wcf services. even though we have session established the client sends the negotiate and server return 401 with some authentication token. this happends intermettinetly , with many sucessful calls ( intermingled with failed calls)

Many calls work fine and just send sessionid and everthing works fine.

In fiddler we see below

Client sends

Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== ASP.NET_SessionId=0ix0fqf02j1imrpfc4awit3w

Server sends

WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACgAKADgAAAAVgonitqRU/FVLp9EAAAAAAAAAAI4AjgBCAAAABgGxHQAAAA9BAEQATABBAEIAAgAKAEEARABMAEEAQgABAA4AQwBJAFIAVAAtAEQAMwAEABYAYQBkAGwAYQBiAC4AbABvAGMAYQBsAAMAJgBDAEkAUgBUAC0ARAAzAC4AYQBkAGwAYQBiAC4AbABvAGMAYQBsAAUAFgBhAGQAbABhAGIALgBsAG8AYwBhAGwABwAIAMsTFgtFNc4BAAAAAA

1
iis

1 Answers

0
votes

I'm not positive I understand your question but I'm guessing that you want to resolve the intermittent NTLM failures?

The headers you describe are part of the challenge response protocol of NTLM. Here's a more complete example:

Client: Get / HTTP/1.1

Server: HTTP/1.1 401 Unauthorized
        WWW-Authenticate: Negotiate
        WWW-Authenticate: NTLM

Client: Get / HTTP/1.1
        Authorization: Negotiate ###################### (encrypted Negotiate)

Server: HTTP/1.1 401 Unauthorized
        WWW-Authenticate: Negotiate ###################### (encrypted Challenge)

Client: Get / HTTP/1.1
        WWW-Authenticate: Negotiate ###################### (encrypted Response)

Server: HTTP/1.1 200 OK

It's probably a bad idea to use this Authentication method across the public internet; it's intended to be used within private intranets where both client and server can access a common Windows Active Directory Domain.

I suspect that your issue may be addressed in the "You are intermittently prompted for credentials or experience time-outs when you connect to Authenticated Services" KB article.

Here are some other related references: