iis - Internet explorer sending kerberos tickets with every request, even when persist-auth is enabled -
i have intranet site hosted iis 7 windows authentication, configured accept negotiate. set configuration setting use per-connection kerberos (non-ntlm) authentication:
<system.webserver> <security> <authentication> <windowsauthentication authpersistnonntlm="true" /> </authentication> </security> </system.webserver> now chrome correctly authenticates once kerberos ticket, , not send authorization headers on subsequent requests.
internet explorer send large kerberos ticket every request. server sending correct persist-auth: true header. ie should know not bother pre-authenticating. behavior can observed in @ least ie9 , ie10 on windows 7 64bit.
is there other reason behavior? way fix it?
also please note using kernel mode on iis7 , no virtual directory security.
if have ie9/ie10 connect ntlm not pre-authenticate (which correct behavior).
i'm hoping there magical header can manually add server responses ie behave correctly ...
you didn't mention kind of url using intranet site - did use hostname or dns alias? short (netbios) name or qualified? notice same behavior when using these different types of urls? did check if headers in fiddler kerberos, or if spnego falling ntlm?
fiddler behaves proxy server; can intercept traffic because registers wininet proxy. cnames , proxies interact in complicated manner kerberos, can make hard see going on. cname, ie create kerberos ticket request hostname instead. adding proxy in mix further change behavior. if issue experiencing, specific microsoft products, why found modern browsers work correctly.
you did right thing doing wire trace, because troubleshooting kerberos proxy not idea.
- http://blogs.technet.com/b/askds/archive/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication.aspx
- http://support.microsoft.com/kb/911149 (old bug may relevant because .net had issue too.)
- http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-kb911149-and-kb908209-are-not-the-soluton.aspx
I’m impressed, I must say.
ReplyDeleteRarely do I come across a blog that’s both educative and engaging, and without a doubt, you’ve hit the nail on the head. The problem is an issue that not enough people are speaking intelligently about. I’m very happy that I found this during my search for something regarding this. I would like you to check out my own blog which best explains more about AFWA Research Scholarships For Africa Students.
So read through carefully to be enlightened.