Hi again.
The problem is occuring on all sites on the server in question.
Both methods using NTLM goes through with wfetch, but don't in IE.
I've removed the html content in the output and renamed the site.
Here's the output:
NTLM domain\username\password
started....Reusing existing connection (source port
50577)\nSEC_I_CONTINUE_NEEDED - InitializeSecurityContext\nREQUEST:
**************\nGET /management/activitystatusoverview.aspx HTTP/1.1\r\n
Host: the.site.xx\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHAXAAAADw==\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 401 Unauthorized\r\n
Content-Length: 1539\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAADgAOADgAAAAVgoniMPm8uRBoc4gAAAAAAAAAAHQAdABGAAAABQLODgAAAA9PAE0ATgBJAEMATwBNAAIADgBPAE0ATgBJAEMATwBNAAEACABGAFMAMAAyAAQAFABvAG0AbgBpAGMAbwBtAC4AbgBvAAMAHgBmAHMAMAAyAC4AbwBtAG4AaQBjAG8AbQAuAG4AbwAFABQAbwBtAG4AaQBjAG8AbQAuAG4AbwAAAAAA\r\n
X-Powered-By: ASP.NET\r\n
Date: Mon, 10 Sep 2007 10:11:47 GMT\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD
HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">\r\n
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>\r\n
....
\r\n
REQUEST: **************\nGET /management/activitystatusoverview.aspx
HTTP/1.1\r\n
Host: the.site.xx\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAIwAAADYANgApAAAAA4ADgBYAAAADAAMAGYAAAAaABoAcgAAABAAEAB8AQAAFYKI4gYAcBcAAAAPiAiTQ1wFzCI1ZeftK9PVF28AbQBuAGkAYwBvAG0AYgBpAC0AbABlAGEATABBAFAAVABPAFAALQBMAEUAQQAtADAANwC2i8gxixhlGYdFZJC+7pZJbQd8UOogcJWj28cvzokRI1/QjisbU22HAQEAAAAAAAB4VSj/kvPHAW0HfFDqIHCVAAAAAAIADgBPAE0ATgBJAEMATwBNAAEACABGAFMAMAAyAAQAFABvAG0AbgBpAGMAbwBtAC4AbgBvAAMAHgBmAHMAMAAyAC4AbwBtAG4AaQBjAG8AbQAuAG4AbwAFABQAbwBtAG4AaQBjAG8AbQAuAG4AbwAIADAAMAAAAAAAAAABAAAAACAAAGywpy4HzdfgDojvS6qCIi7gYBnOAXiinT4bUdXkaaZqAAAAAAAAAABQRYIEv8xWvQQEfngJDax7\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 200 OK\r\n
Date: Mon, 10 Sep 2007 10:11:47 GMT\r\n
Server: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\n
X-AspNet-Version: 1.1.4322\r\n
Set-Cookie: ASP.NET_SessionId=m0i5vd55a3obhkeevmjyhqmg; path=/\r\n
Cache-Control: private\r\n
Content-Type: text/html; charset=utf-8\r\n
Content-Length: 74913\r\n
\r\n
....
\r\n
NTLM <blank>\emailaddress(username field)\password
started....Reusing existing connection (source port
50577)\nSEC_I_CONTINUE_NEEDED - InitializeSecurityContext\nREQUEST:
**************\nGET /management/activitystatusoverview.aspx HTTP/1.1\r\n
Host: the.site.xx\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHAXAAAADw==\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 401 Unauthorized\r\n
Content-Length: 1539\r\n
Content-Type: text/html\r\n
Server: Microsoft-IIS/6.0\r\n
WWW-Authenticate: NTLM
TlRMTVNTUAACAAAADgAOADgAAAAVgoniMPm8uRBoc4gAAAAAAAAAAHQAdABGAAAABQLODgAAAA9PAE0ATgBJAEMATwBNAAIADgBPAE0ATgBJAEMATwBNAAEACABGAFMAMAAyAAQAFABvAG0AbgBpAGMAbwBtAC4AbgBvAAMAHgBmAHMAMAAyAC4AbwBtAG4AaQBjAG8AbQAuAG4AbwAFABQAbwBtAG4AaQBjAG8AbQAuAG4AbwAAAAAA\r\n
X-Powered-By: ASP.NET\r\n
Date: Mon, 10 Sep 2007 10:11:47 GMT\r\n
\r\n
SEC_E_OK - InitializeSecurityContext\n<!DOCTYPE HTML PUBLIC "-//W3C//DTD
HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">\r\n
<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE>\r\n
....
\r\n
REQUEST: **************\nGET /management/activitystatusoverview.aspx
HTTP/1.1\r\n
Host: the.site.xx\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAIwAAADYANgApAAAAA4ADgBYAAAADAAMAGYAAAAaABoAcgAAABAAEAB8AQAAFYKI4gYAcBcAAAAPiAiTQ1wFzCI1ZeftK9PVF28AbQBuAGkAYwBvAG0AYgBpAC0AbABlAGEATABBAFAAVABPAFAALQBMAEUAQQAtADAANwC2i8gxixhlGYdFZJC+7pZJbQd8UOogcJWj28cvzokRI1/QjisbU22HAQEAAAAAAAB4VSj/kvPHAW0HfFDqIHCVAAAAAAIADgBPAE0ATgBJAEMATwBNAAEACABGAFMAMAAyAAQAFABvAG0AbgBpAGMAbwBtAC4AbgBvAAMAHgBmAHMAMAAyAC4AbwBtAG4AaQBjAG8AbQAuAG4AbwAFABQAbwBtAG4AaQBjAG8AbQAuAG4AbwAIADAAMAAAAAAAAAABAAAAACAAAGywpy4HzdfgDojvS6qCIi7gYBnOAXiinT4bUdXkaaZqAAAAAAAAAABQRYIEv8xWvQQEfngJDax7\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 200 OK\r\n
Date: Mon, 10 Sep 2007 10:11:47 GMT\r\n
Server: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\n
X-AspNet-Version: 1.1.4322\r\n
Set-Cookie: ASP.NET_SessionId=m0i5vd55a3obhkeevmjyhqmg; path=/\r\n
Cache-Control: private\r\n
Content-Type: text/html; charset=utf-8\r\n
Content-Length: 74913\r\n
\r\n
\r\n
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >\r\n
Kerberos domain\username\password
started....Reusing existing connection (source port
50598)\nISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n0x80090303 Unable to
InitializeSecurityContextfinished.
Kerberos <blank>\emailaddress(username field)\password
started....Reusing existing connection (source port
50598)\nISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n0x80090303 Unable to
InitializeSecurityContextfinished.
--
Lars-Erik
""WenJun Zhang[msft]"" wrote:
> Hi Lars,
>
> In this case, I'd suggest you use tools like webfetch to check the http
> request/response rawdata of the authentication handshake. See if this can
> give us some clue of the problem. The steps are documented in the following
> article:
>
> HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
> http://support.microsoft.com/default.aspx?scid=kb;en-us;284285
>
> To use, please input:
>
> Host: (The site's domainname/hostheader or servername or just IP address)
> Port: (The site's port number if it isn't using the default 80)
> Path: (The relative path of a test page on the site. e.g: /index.htm or
> just /)
>
> Authenticiation:
>
> Please test the combinations.
>
> NTLM domain\username\password
> NTLM <blank>\emailaddress(username field)\password
> Kerberos domain\username\password
> Kerberos <blank>\emailaddress(username field)\password
>
> Press Go! to issue http requests to the server and check what responses are
> returned. I think comparing the traces should slow us with some details.
> Please post the trace results here or send them to me at:
> wjzhang RemoveThis @online.microsoft.com (please remove online.)
>
> Also I just wonder if only the problematic web site has the auth problem?
> You may create a new site to test if auth works with domain\username. If
> it's fine, we can narrow down the problem must be specific to the
> applications running in the problem site.
>
> That's all. As always, I'll wait for your update.
>
> Have a great week.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> >> Stay informed about: Why do only E-mail format works for user names? 
FAQ
Profile
Private Messages
Log in
