Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Tue, 14 Aug 2007 16:08:51 -0400,    group: microsoft.public.platformsdk.active.directory        back       


Re: Kerberos error KDC_ERR_BADOPTION after "Message Stream Modified" kerberos error    
Problem has been solved, thanks all for the troubleshooting help.  The 
problem was twofold, both on my part.

--------------------------------------------
The "Message Stream Modified" kerberos errors were caused by improper 
manual setting of the "Authorization" header.

This ISAPI code is functioning as a proxy, which includes passing along 
headers from the original request.  The "Authorization" header was being 
set with WinHttpAddRequestHeaders along with WinHttp's own authorization 
attempts, causing them to be concatenated into one long Authorization 
header.

There was code in place to prevent "Authorization" from being passed 
along in this manner, but of course there was a typo that prevented it 
from detecting "Authorization" properly.  Fixed it, Authorization header 
was suddenly half the length, and now it works.

---------------------------------------
The "Propagating NTLM instead of Kerberos after Kerberos auth" was a 
problem with how IE was authenticating with IIS.

I was not aware that, when connecting to an IIS that is using Integrated 
Authentication, there is an underlying difference between "connecting 
with IE and entering user credentials" vs "adding the site to local 
internet and passing credentials automatically".  I saw Kerberos auth 
between IE & IIS in both cases, and I liked being able to enter 
different users for testing with the former, so I was using it.

Now I've discovered that it makes all the difference; when added to 
local sites, kerberos will be properly delegate and propagated through 
WinHttp, where as when credentials are entered manually, there are not.


Follow-up question - When in the Authenticated ISAPI and using WinHttp, 
is there any way to detect these two situations?  I can examine the 
"Authorization" header to detect NTLM vs. Kerberos easily, but a quick 
glance didn't show any difference between the Kerberos-that-becomes-NTLM 
vs. the Kerberos-that-becomes-Kerberos.  I'd like to be able to raise an 
error in the former situation rather than just getting "access denied" 
for anything.


Thanks
jason
date: Tue, 14 Aug 2007 16:08:51 -0400   author:   Jason Viers

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us