Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 1 subscriber
  • Views 11247 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IIS Authentication problem

skar
Hello guys,

One of our users is trying to access an website where authentication is required. We are running Astaro 7.402. The destination webserver is IIS. I tried the following:

- Surf to the site with Internet Explorer, without proxy. Authentication window appears.
- Surf to the site with Internet Explorer, with proxy. Authentication window doesn't appear.
- Surf to the site with Mozilla Firefox, without proxy. Authentication window appears.
- Surf to the site with Mozilla Firefox, with proxy. Authentication window appears.

I also sniffed the headers from the destination site.

Without proxy: 
GET /x/x/index.html HTTP/1.1

Host: x.x.x.x

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 GTB5 (.NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: nl,en-us;q=0.7,en;q=0.3

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Cache-Control: max-age=0



HTTP/1.x 401 Unauthorized

Content-Length: 1656

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Fri, 03 Jul 2009 06:50:05 GMT


With proxy: 
GET /x/x/index.html HTTP/1.1

Host: x.x.x.x

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 GTB5 (.NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: nl,en-us;q=0.7,en;q=0.3

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Cache-Control: max-age=0



HTTP/1.x 401 Unauthorized

Content-Type: text/html

Server: Microsoft-IIS/6.0

WWW-Authenticate: NTLM

X-Powered-By: ASP.NET

Date: Fri, 03 Jul 2009 06:50:59 GMT

Content-Length: 1656

Accept-Ranges: none

Proxy-Connection: Keep-Alive


It seems that Astaro strips one of the two WWW-Authenticate arguments. Is there an solution for this problem. I tried searching the forum, but didn't find a good solution for this. 

Thanks in advance,

Jasper


This thread was automatically locked due to age.
  • 0
    I have a similar issue with SharePoint hosted sites using NTLM authentification but no fix.

    Have you tried a bowser exception for this site?
  • 0 in reply to Kingbuzzo
    Just to try to find the bug, does your problem go away if you restart ntlm?

    var/mdw/scripts/ntlm restart

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Sorry that I didn't mention it, but we do not need automated authentication using NTLM, but just a window which asks the login credentials. When surfing the web using Astaro, it seems that Astaro filters one of the two headers, which is the WWW-Authenticate: Negotiate argument which is probably the cause IE doesn't get what I want.
  • 0
    I want to give this topic a little kick. I can imagine that i'm not the only one with this problem, or am I?
  • 0
    It's intented that this header is stripped off - Using Kerberos over the HTTP Proxy is not supported.
  • 0 in reply to svens
    Why wouldn't they support Kerberos?  How the heck are they supposed to authenticate?

    Also, this problem is regarding NTLM which shouldn't be used over the internets but fails just-the-same...
  • FormerMember
    0 FormerMember
    This issue occurred for one of my end-users after I switched to the Astaro from Microsoft ISA server array. Suddenly a website they were maintaining would not prompt them for credentials. As it turns out the hosting company has Windows Integrated Authentication turned on on the IIS server. However, when using Firefox, you are prompted to log in. I would also like to find out the solution, because the only other solution is to reconfigure the server to provide Basic Auth over SSL (which of course would be better anyway) but we're looking at a little bit of downtime and a some extra cost for the host to rejigger the website.
  • 0 in reply to FormerMember
    If that is true in my case it is still an issue as I have no control on the settings for the web server settings outside of my control.

    If their website is misconfigured, we still need a way to authenticate NTLM thru proxy as the end-user will never understand why it doesn't work.

    Rock -> hard place...
  • FormerMember
    0 FormerMember
    I did receive a reply from the web developer of our site, who put in a bogus Basic Authentication w/ SSL page up to test, and of course IE popped right up with a dialog when hitting it, so that's going to be the fix for us. NTLM was likely left enabled by the hosting company.
  • 0 in reply to FormerMember
    I hope Schnelle comes back to comment on this.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA