Symptom

Let’s suppose such a scenario:

Ø  You have a website which enables NTLM authentication.

Ø  You also have a Proxy server no matter whether it needs authentication or not.

Ø  You try to browse the website through proxy server

You may be continually prompted to authenticate

 

Root Cause

Firstly, the normal authentication procedure of NTLM will be as below for IE.

1)      IE tries to browse the website anonymously

2)      The web server responds 401 and tell client that NTLM authentication is required

3)      IE sends out an NTLM negotiate message to web server

4)      Server responds 401 challenge again and provide a 16-byte random number

5)      IE encrypt password with the 16-byte random number and send the request to server again

6)      Server authenticate the username and password on DC and sends back the successful response

 

Now, in our scenario, if the "401" response page content is smaller than 1460 bytes, Internet Explorer may close the current connection and tries to re-use a previous connection from the keep-alive pool for the proxy server. Because the proxy server has closed the related connection between proxy and the IIS server, the proxy server may re-user another connection or creates a new connection. Then the IIS server may not recognize the encrypted password because it chooses the incorrect 16-byte random number to decrypt the password. As a result, Internet Explorer produces an authentication prompt.

 

Analysis

If you capture a Network trace with Network Monitor on client side, you will get the below packets.

3891        HTTP        HTTP:Request, GET http://www.mysite.com/

3892        HTTP        HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: http://www.mysite.com/ , Using NTLM Authentication

4300        HTTP        HTTP:Request, GET http://www.mysite.com/ , Using NTLM Authorization

4325        HTTP        HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: http://www.mysite.com/

4333        HTTP        HTTP:Request, GET http://www.mysite.com/ , Using NTLM Authorization

4357        HTTP        HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: http://www.mysite.com/ , Using NTLM Authentication

4625        HTTP        HTTP:Request, GET http://www.mysite.com/ , Using NTLM Authorization

4642        HTTP        HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: http://www.mysite.com/

4645        HTTP        HTTP:Request, GET http://www.mysite.com/ , Using NTLM Authorization

4682        HTTP        HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: http://www.mysite.com/ , Using NTLM Authentication

 

As you see, the server always responds “Unauthorized”(401) error. For comparison, here’s a good example.

379          HTTP        HTTP:Request, GET /

381          HTTP        HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: / , Using NTLM Authentication

385          HTTP        HTTP:Request, GET / , Using NTLM Authorization

387          HTTP        HTTP:Response, HTTP/1.1, Status: Unauthorized, URL: /

388          HTTP        HTTP:Request, GET / , Using NTLM Authorization

391          HTTP        HTTP:Response, HTTP/1.1, Status: Ok, URL: /

 

If you check the details of the requests in frame 3891, 4300, 4333, …, you will find different TCP ports.

Tcp: Flags=...AP..., SrcPort=1330, DstPort=3128, PayloadLen=602, Seq=1411197225 - 1411197827, Ack=2764265843, Win=64796 (scale factor 0x0) = 64796

Tcp: Flags=...AP..., SrcPort=1334, DstPort=3128, PayloadLen=680, Seq=1674575172 - 1674575852, Ack=199562079, Win=65092 (scale factor 0x0) = 65092

Tcp: Flags=...AP..., SrcPort=1333, DstPort=3128, PayloadLen=896, Seq=1830100015 - 1830100911, Ack=1517275850, Win=65535 (scale factor 0x0) = 65535

……

 

If you get another Network trace on web server side, you will also find different TCP ports.

 

Solution

There are two options to resolve the issue.

 

Resolve it from IE side

 

You can choose the below steps to enforce IE using the same connection during the whole authentication procedure.

 

1.       Click Start, click Run, type regedit, and then click OK.

2.   Locate and then click either of the following keys in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

3.   On the Edit menu, point to New, and then click DWORD.

4.   Type ReleaseSocketDuring401Auth, and then press ENTER.

5.   On the Edit menu, click Modify.

6.   Type 0, and then click OK.

 

Resolve it from Web server side

Edit all the "401" response pages in your IIS deployment so they are larger than 1460 bytes. 1460 bytes is the size of one TCP packet.

You may refer to the below article to learn how to customize 401 response page on IIS7.

http://technet.microsoft.com/en-us/library/cc753103(v=WS.10).aspx

 

 

References

Internet Explorer always prompts for authentication when browsing to Web sites already logged on to

http://support.microsoft.com/kb/820780

401.1 and 401.2-Authentication Problems (IIS 6.0)

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8feeaa51-c634-4de3-bfdc-e922d195a45e.mspx

 

Regards,

ZhiXing Lv from APGC DSI Team