Hi,
I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.
Typically, the first and second hit get a 401 (authentication required) and
the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first) on
the first connection, I don't understand why this is also happening for all
subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.
Example:
/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three times
more hits than an anonymous site, so not too efficient.
Help appreciated!
Thanks,
Tom
6  1588 
every browser request is a new session, so the handshaking is required. if
the pages include images, javascript, etc, and keepalive (http 1.1) is used,
then these will be fetched without the handshake code. after a page is
loaded, the browser closes the session.
-- bruce (sqlwork.com)
"Tom" <To*@nospam.com > wrote in message
news:41******** *************** @news-text.dial.pipex .com... Hi,
I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.
Typically, the first and second hit get a 401 (authentication required)
and the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first) on
the first connection, I don't understand why this is also happening for
all subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.
Example:
/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three
times more hits than an anonymous site, so not too efficient.
Help appreciated!
Thanks,
Tom
Thanks, but I do get the same behaviour for pictures and other files, and
keep alive is enabled on the web server...
"bruce barker" <no***********@ safeco.com> wrote in message
news:e8******** ******@TK2MSFTN GP10.phx.gbl... every browser request is a new session, so the handshaking is required. if
the pages include images, javascript, etc, and keepalive (http 1.1) is
used,
then these will be fetched without the handshake code. after a page is
loaded, the browser closes the session.
-- bruce (sqlwork.com)
"Tom" <To*@nospam.com > wrote in message
news:41******** *************** @news-text.dial.pipex .com... Hi,
I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.
Typically, the first and second hit get a 401 (authentication required)
and the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first)
on
the first connection, I don't understand why this is also happening for
all subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.
Example:
/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three
times more hits than an anonymous site, so not too efficient.
Help appreciated!
Thanks,
Tom
This is not normal...
If keep-alives are in fact being used, then the HTTP connection should be
authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then something
may be running on the client machine that is preventing that. I would check
there first.
Cheers
Ken
I have activated NTLM authentication on IIS on Windows 2003, and the log
files show that for each request, three or four hits are generated.
Typically, the first and second hit get a 401 (authentication required)
and the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first)
on
the first connection, I don't understand why this is also happening for
all subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.
Example:
/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three
times more hits than an anonymous site, so not too efficient.
Help appreciated!
Thanks,
Tom
Thanks.
The same behavior happens from several computers, running several versions
of IE, so I don't think the issue is client related...
"Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message
news:%2******** *******@TK2MSFT NGP09.phx.gbl.. . This is not normal...
If keep-alives are in fact being used, then the HTTP connection should be
authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then
something may be running on the client machine that is preventing that. I
would check there first.
Cheers
Ken
I have activated NTLM authentication on IIS on Windows 2003, and the
log
files show that for each request, three or four hits are generated.
Typically, the first and second hit get a 401 (authentication required)
and
the third hit is successful (200). While I understand this is normal
behaviour with NTLM (the browser attemps an anonymous connection first)
on
the first connection, I don't understand why this is also happening for
all
subsequent requests, from the same machine/browser. It looks like the
security context is lost at each request generated by the web browser.
Example:
/default.aspx 401 (no username)
/default.aspx 401 (no username)
/default.aspx 200 Domain\user
/picture.gif 401 (no username)
/picture.gif 401 (no username)
/picture.gif 200 Domain\user
If there is no way to improve this, it means that NTLM generates three
times
more hits than an anonymous site, so not too efficient.
Help appreciated!
Thanks,
Tom
Is there a proxy server between the clients and the server?
Do the client machines have any sort of "internet protection software"
installed on them?
Can you get a network trace of the traffic (eg using Ethereal: www.ethereal.com)?
It is up to the browser to send the user's credentials to the server.
Usually what should happen:
a) the first request to the server is anonymous. Server rejects anonymous
request, sends back acceptable authentication types
b) browser prompts user for credentials, and send those to the server
c) if server find the credentials acceptable, the server sends back the page
d) provided that the server said 200 OK for (c), then the browser will
continue sending the same credentials for each subsequent request to the
server until the server says "not OK"
Cheers
Ken
"Tom" <To*@nospam.com > wrote in message
news:41******** *************** @news-text.dial.pipex .com... Thanks.
The same behavior happens from several computers, running several versions
of IE, so I don't think the issue is client related...
"Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message
news:%2******** *******@TK2MSFT NGP09.phx.gbl.. . This is not normal...
If keep-alives are in fact being used, then the HTTP connection should be
authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then
something may be running on the client machine that is preventing that. I
would check there first.
Cheers
Ken
>
> I have activated NTLM authentication on IIS on Windows 2003, and the
> log
> files show that for each request, three or four hits are generated.
>
> Typically, the first and second hit get a 401 (authentication
> required)
and
> the third hit is successful (200). While I understand this is normal
> behaviour with NTLM (the browser attemps an anonymous connection
> first) on
> the first connection, I don't understand why this is also happening
> for
all
> subsequent requests, from the same machine/browser. It looks like the
> security context is lost at each request generated by the web browser.
>
> Example:
>
> /default.aspx 401 (no username)
> /default.aspx 401 (no username)
> /default.aspx 200 Domain\user
> /picture.gif 401 (no username)
> /picture.gif 401 (no username)
> /picture.gif 200 Domain\user
>
>
> If there is no way to improve this, it means that NTLM generates three
times
> more hits than an anonymous site, so not too efficient.
>
> Help appreciated!
>
> Thanks,
> Tom
ken,
There is no proxy server or firewall between the computer and the web
servers.
The machines have a standard version of IE 6.0, with no plug-in or specific
software, apart from the standard Windows XP firewall...
Thanks,
Tom
"Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. .. Is there a proxy server between the clients and the server?
Do the client machines have any sort of "internet protection software"
installed on them?
Can you get a network trace of the traffic (eg using Ethereal:
www.ethereal.com)?
It is up to the browser to send the user's credentials to the server.
Usually what should happen:
a) the first request to the server is anonymous. Server rejects anonymous
request, sends back acceptable authentication types
b) browser prompts user for credentials, and send those to the server
c) if server find the credentials acceptable, the server sends back the
page
d) provided that the server said 200 OK for (c), then the browser will
continue sending the same credentials for each subsequent request to the
server until the server says "not OK"
Cheers
Ken
"Tom" <To*@nospam.com > wrote in message
news:41******** *************** @news-text.dial.pipex .com... Thanks.
The same behavior happens from several computers, running several
versions of IE, so I don't think the issue is client related...
"Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message
news:%2******** *******@TK2MSFT NGP09.phx.gbl.. . This is not normal...
If keep-alives are in fact being used, then the HTTP connection should
be authenticated, and the browser should continue to send the existing
credentials for subsequent requests. If the browser is *not* sending
credentials for subsequent requests (the "no username" bit), then
something may be running on the client machine that is preventing that.
I would check there first.
Cheers
Ken
>>
>> I have activated NTLM authentication on IIS on Windows 2003, and the
>> log
>> files show that for each request, three or four hits are generated.
>>
>> Typically, the first and second hit get a 401 (authentication
>> required)
> and
>> the third hit is successful (200). While I understand this is normal
>> behaviour with NTLM (the browser attemps an anonymous connection
>> first) on
>> the first connection, I don't understand why this is also happening
>> for
> all
>> subsequent requests, from the same machine/browser. It looks like the
>> security context is lost at each request generated by the web
>> browser.
>>
>> Example:
>>
>> /default.aspx 401 (no username)
>> /default.aspx 401 (no username)
>> /default.aspx 200 Domain\user
>> /picture.gif 401 (no username)
>> /picture.gif 401 (no username)
>> /picture.gif 200 Domain\user
>>
>>
>> If there is no way to improve this, it means that NTLM generates
>> three
> times
>> more hits than an anonymous site, so not too efficient.
>>
>> Help appreciated!
>>
>> Thanks,
>> Tom
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Nicholas Then |
last post by:
I am writing an application that uses Remoting that is
hosted within IIS. We have an SSL cert enabled on the
server. We are using windows authentication on this
remoting service. Everything works fine here in the
office however when I try from home for example the
application does not work because the credentials do not
match. How do I pass the credentials from my .NET
windows application to the IIS server running the remoted
object....
|
by: Eric |
last post by:
Hallo all, I have to find a bug in an existing software I have taken over
from someone that left our company. It's written in VC++ 7.1 using ATL and
connects to a webservice calling a method there. (It's a Windows Service
running in a DLL with svchost.exe using a thread that impersonates some
person using RpcImpersonateClient() etc..)
The problem is that the SOAP request needs to connect with NTLM
authentication. With a network sniffer I...
|
by: russell.lane |
last post by:
I've established user login identity impersonation and delegation for a
multi-tier web application. I'm running into a case where authentication
fails when a user accesses the app from a browser on one machine, but not
from another machine.
The relevant details -- in both cases, all of the following are in effect:
Same user account.
Same web application, same IIS host.
Client OS is XP Pro SP2.
|
by: samir.kuthiala |
last post by:
I do some requests in the background on a page using the XMLHttpRequest
object. My site uses NTLM Authentication. However if the user is not
logged in, it throws up an ugly dialog box. Is there any way to
suppress this? I am ok with the object throwing an error which I can
catch.
What I want to do is to make a request. Instead of it popping up a
dialog box, I want to be able to suppress this dialog and instead
forward him to a...
|
by: r0main |
last post by:
Hi,
I'm building a .NET C# Windows Forms Application, and I am facing
authentication issues.
The application makes requests to an http web server using the
HttpWebRequest class. But it doesn't pass through NTLM authentication
without login and password. Internet explorer and Firefox do !
UseDefaultCredentials has been set to 'true'
| | |
by: looping |
last post by:
Hi,
I have to make internet connections through an ISA proxy server that
use NTLM or Kerberos authorization method.
I've found a program in python called ntlmaps that act like a proxy and
could make the NTLM authentication, but you have to run it and make all
your connection through it, not an optimal solution.
So what I really need is an enhanced urllib2 that support NTLM or
Kerberos.
I've found that pywin32 could manage NTLM encryption...
|
by: George Vasiliou |
last post by:
Hi to all,
I have made up a small client / server application with WinSock (port 443)
at VB6.
I have install server in my Home, and client is running behind a proxy
server.
Client cannot reach server, because proxy requires NTLM Authorization before
redirecting.
|
by: pycraze |
last post by:
Hi ,
I am working on NTLM (Windows NT Lan Manager )APS
(Authentication Proxy Server ) , to port to C language .
I am using ethereal to monitor the packets sent between client and
server . NTLM is a MS proprietary protocol designed so that will allow
authentication only from MS browsers .
This proprietary was cracked and code was written in python by
|
by: =?Utf-8?B?TGVuc3Rlcg==?= |
last post by:
A C# (.NET 2) application which uses the System.Net.HttpWebRequest object to
request a resource over HTTPS is failing following the installation of a new
proxy server on our internal network with 407 Proxy Authentication Required.
The same request through the old proxy succeeds.
The same request to an HTTP address through the new proxy succeeds.
Also, the request succeeds when forced to use Basic authentication but fails
on NTLM.
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
