How to stop a www-negotiate action? RRS feed

  • Question

  • First off this is not a .NET application that is being accessed, however, there are some web principles here that do apply (and hence why I'm posting this here) and I think those very familiar with .NET/web programming hopefully can help me with.

    We have users with IE6/7/8/9/10 accessing a legacy vendor application (not MS) and the application responds to the users with a HTTP 401 / www-negotiate request.  If the negotiation ends up being Kerberos (which always wins out if the client has a Kerberos ticket) and the client sends a Kerberos ticket than the vendor application validates that via a backend channel to Active Directory and users are SSO'd into the issue, all works great.

    However, if the user's browser does not have a Kerberos ticket (such as accessing this app from any device not authenticated to this corporate domain) then the browser will instead start the NTLM authentication process.  This is because the negotiate method specifies Kerberos first and then falling back to NTLM.  The problem here is this legacy application can not handle NTLM auth requests, I believe there was an older version of NTLM (version 1?) it did support but that has long since been nixed by Microsoft so for all intents and purposes NTLM will not work.  The net effect of all of this is that the client's browser keeps sending a HTTP NTLM header even though the server-side has seen the NTLM header and has redirected the user to a manual login page.  So the user enters their credentials into a manual form and clicks submit but IE does not send the credentials because IE is still stuck trying to do NTLM and when it is in that mode it does not actually send the values of form fields on a form submit.  I don't think this is actually a bug in IE, I think it is likely just a side-effect of a odd scenario we are throwing at it.

    So what we need to do is to have clients either send a Kerberos ticket or go to a redirect form directly, i.e. never attempt NTLM.  Current we have code in place that when the server sees a NTLM header come in it redirects the user to a manual login page, however, that redirect action (even though it is pulling up a new path, though on the same host & domain) does not cancel/stop the NTLM attempt, so the browser keeps sending a NTLM header (and thus doesn't send the form values), ends up in a very frustrating sequence where the user submits a form and gets no response other than a new form...this is because the credentials were not actually sent because of the state the browser is in with it's NTLM attempt.

    What we need is a way to simply stop the NTLM process, so when we see it starting (client sends a NTLM header) we can respond with some specific value/response/code that will stop that attempt, basically a "I know we told you to do the www-negotiate, but go ahead and stop doing that now" to the browser.

    We have a solution that we think will work which involves creating another hostname because it appears that IE will actually stop a NTLM auth process if you redirect it to a different hostname (same domain, just another hostname that is a CNAME record to the original one).  However, that is very messy and seems to be overkill and I would hope there is some way to merely stop a NTLM authentication sequence...hopefully.



    Tuesday, February 26, 2013 10:16 PM

All replies