Guest lobezno Posted January 2, 2009 Posted January 2, 2009 Hi, I need help with Kerberos and Windows integrated security. My system is: All the servers and clients are in the same domain with the same OS: windows server 2003 Enterprise R2 SP2 Domain controller, IIS, Client. Intenet Explorer 6 Sp2 I open IE 6 and request a page. The resource is protected (using Windows Integrated Authentication, with no anonymous allowed). Login screen prompt me. I put a valid login and pwd, and I get the page. This is the secuence: ---------- GET /home/home.aspx HTTP/1.1\r\n HTTP/1.1 401 Unauthorized\r\n Kerberos AS-REQ Kerberos AS-REP Kerberos TGS-REQ Kerberos TGS-REP GET /home/home.aspx HTTP/1.1\r\n [truncated] Authorization: Negotiate YIIEnQYGKw...... HTTP/1.1 200 OK\r\n [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... ---------- Question 1: in the OK response, How IIS server generates the WWW-Authenticate header? I thought that It should be the same value that client sends to server in his Authorizaztion header. Let's follow. I press F5 and reload the page. Obiously I don't need to put my login/pwd again and I get the same page. This is the secuence: ---------- GET /home/home.aspx HTTP/1.1\r\n HTTP/1.1 401 Unauthorized\r\n Kerberos AS-REQ Kerberos AS-REP Kerberos TGS-REQ Kerberos TGS-REP Question 2: Why next request, has not a Authorization header and reuse the token? Why it needs to get a new ticket from KDC?? GET /home/home.aspx HTTP/1.1\r\n [truncated] Authorization: Negotiate YIIEnQYGKw...... HTTP/1.1 200 OK\r\n [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... Question 3: Last request/response, has the same headers values than first. It seems that client "reuse" the ticket. But, if this it's true, Why it needs (AS -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the client request is not directly: GET /home/home.aspx HTTP/1.1\r\n [truncated] Authorization: Negotiate YIIEnQYGKw...... ---------- Any help will be gratefully. Thanks a lot. Quote
Guest Peter Foldes Posted January 2, 2009 Posted January 2, 2009 lobezno You need to repost this to the following newsgroup. This is the wrong newsgroup for this.The newsgroup is windows.server.security On the web: http://www.microsoft.com/communities/newsg...server.security -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "lobezno" <lobezno@discussions.microsoft.com> wrote in message news:BC6F4478-063D-431B-930E-CFEA98BE89E3@microsoft.com...<span style="color:blue"> > Hi, > I need help with Kerberos and Windows integrated security. > > My system is: > All the servers and clients are in the same domain with the same OS: windows > server 2003 Enterprise R2 SP2 > Domain controller, IIS, Client. > Intenet Explorer 6 Sp2 > > I open IE 6 and request a page. The resource is protected (using Windows > Integrated Authentication, with no anonymous allowed). Login screen prompt > me. I put > > a valid login and pwd, and I get the page. This is the secuence: > ---------- > GET /home/home.aspx HTTP/1.1rn > HTTP/1.1 401 Unauthorizedrn > > Kerberos AS-REQ > Kerberos AS-REP > Kerberos TGS-REQ > Kerberos TGS-REP > > GET /home/home.aspx HTTP/1.1rn > [truncated] Authorization: Negotiate YIIEnQYGKw...... > > HTTP/1.1 200 OKrn > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... > ---------- > > Question 1: in the OK response, How IIS server generates the > WWW-Authenticate header? I thought that It should be the same value that > client sends to server > > in his Authorizaztion header. > > Let's follow. I press F5 and reload the page. Obiously I don't need to put > my login/pwd again and I get the same page. This is the secuence: > ---------- > GET /home/home.aspx HTTP/1.1rn > HTTP/1.1 401 Unauthorizedrn > > Kerberos AS-REQ > Kerberos AS-REP > Kerberos TGS-REQ > Kerberos TGS-REP > > Question 2: Why next request, has not a Authorization header and reuse the > token? Why it needs to get a new ticket from KDC?? > > GET /home/home.aspx HTTP/1.1rn > [truncated] Authorization: Negotiate YIIEnQYGKw...... > > HTTP/1.1 200 OKrn > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... > > Question 3: Last request/response, has the same headers values than first. > It seems that client "reuse" the ticket. But, if this it's true, Why it needs > (AS > > -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the > client request is not directly: > GET /home/home.aspx HTTP/1.1rn > [truncated] Authorization: Negotiate YIIEnQYGKw...... > ---------- > > Any help will be gratefully. > Thanks a lot. </span> Quote
Guest lobezno Posted January 2, 2009 Posted January 2, 2009 OK. I do it, but one question. Wich group is this?? I'm in: http://www.microsoft.com/communities/newsg...us/default.aspx then, I select "english\servers\windows server\security\security general" Why it's wrong??? you URL has different contents, it's true, but I don't know, in wich group I am. Thanks. "Peter Foldes" wrote: <span style="color:blue"> > lobezno > > You need to repost this to the following newsgroup. This is the wrong newsgroup for > this.The newsgroup is windows.server.security > > On the web: > http://www.microsoft.com/communities/newsg...server.security > > > -- > Peter > > Please Reply to Newsgroup for the benefit of others > Requests for assistance by email can not and will not be acknowledged. > > "lobezno" <lobezno@discussions.microsoft.com> wrote in message > news:BC6F4478-063D-431B-930E-CFEA98BE89E3@microsoft.com...<span style="color:green"> > > Hi, > > I need help with Kerberos and Windows integrated security. > > > > My system is: > > All the servers and clients are in the same domain with the same OS: windows > > server 2003 Enterprise R2 SP2 > > Domain controller, IIS, Client. > > Intenet Explorer 6 Sp2 > > > > I open IE 6 and request a page. The resource is protected (using Windows > > Integrated Authentication, with no anonymous allowed). Login screen prompt > > me. I put > > > > a valid login and pwd, and I get the page. This is the secuence: > > ---------- > > GET /home/home.aspx HTTP/1.1rn > > HTTP/1.1 401 Unauthorizedrn > > > > Kerberos AS-REQ > > Kerberos AS-REP > > Kerberos TGS-REQ > > Kerberos TGS-REP > > > > GET /home/home.aspx HTTP/1.1rn > > [truncated] Authorization: Negotiate YIIEnQYGKw...... > > > > HTTP/1.1 200 OKrn > > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... > > ---------- > > > > Question 1: in the OK response, How IIS server generates the > > WWW-Authenticate header? I thought that It should be the same value that > > client sends to server > > > > in his Authorizaztion header. > > > > Let's follow. I press F5 and reload the page. Obiously I don't need to put > > my login/pwd again and I get the same page. This is the secuence: > > ---------- > > GET /home/home.aspx HTTP/1.1rn > > HTTP/1.1 401 Unauthorizedrn > > > > Kerberos AS-REQ > > Kerberos AS-REP > > Kerberos TGS-REQ > > Kerberos TGS-REP > > > > Question 2: Why next request, has not a Authorization header and reuse the > > token? Why it needs to get a new ticket from KDC?? > > > > GET /home/home.aspx HTTP/1.1rn > > [truncated] Authorization: Negotiate YIIEnQYGKw...... > > > > HTTP/1.1 200 OKrn > > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... > > > > Question 3: Last request/response, has the same headers values than first. > > It seems that client "reuse" the ticket. But, if this it's true, Why it needs > > (AS > > > > -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the > > client request is not directly: > > GET /home/home.aspx HTTP/1.1rn > > [truncated] Authorization: Negotiate YIIEnQYGKw...... > > ---------- > > > > Any help will be gratefully. > > Thanks a lot. </span> > > </span> Quote
Guest FromTheRafters Posted January 2, 2009 Posted January 2, 2009 general security discussions = microsoft.public.security? ....and I don't see microsoft.public.windows.server.security anywhere. Maybe it would be better for you here: http://www.microsoft.com/communities/newsg...BA-04767E55A63B "lobezno" <lobezno@discussions.microsoft.com> wrote in message news:63ECC57E-6864-4D13-8D6C-B12C45B089B2@microsoft.com...<span style="color:blue"> > OK. I do it, but one question. Wich group is this?? > I'm in: http://www.microsoft.com/communities/newsg...us/default.aspx > then, I select "englishserverswindows serversecuritysecurity general" > > Why it's wrong??? you URL has different contents, it's true, but I don't > know, in wich group I am. > > Thanks. > > "Peter Foldes" wrote: ><span style="color:green"> >> lobezno >> >> You need to repost this to the following newsgroup. This is the wrong >> newsgroup for >> this.The newsgroup is windows.server.security >> >> On the web: >> http://www.microsoft.com/communities/newsg...server.security >> >> >> -- >> Peter >> >> Please Reply to Newsgroup for the benefit of others >> Requests for assistance by email can not and will not be acknowledged. >> >> "lobezno" <lobezno@discussions.microsoft.com> wrote in message >> news:BC6F4478-063D-431B-930E-CFEA98BE89E3@microsoft.com...<span style="color:darkred"> >> > Hi, >> > I need help with Kerberos and Windows integrated security. >> > >> > My system is: >> > All the servers and clients are in the same domain with the same OS: >> > windows >> > server 2003 Enterprise R2 SP2 >> > Domain controller, IIS, Client. >> > Intenet Explorer 6 Sp2 >> > >> > I open IE 6 and request a page. The resource is protected (using >> > Windows >> > Integrated Authentication, with no anonymous allowed). Login screen >> > prompt >> > me. I put >> > >> > a valid login and pwd, and I get the page. This is the secuence: >> > ---------- >> > GET /home/home.aspx HTTP/1.1rn >> > HTTP/1.1 401 Unauthorizedrn >> > >> > Kerberos AS-REQ >> > Kerberos AS-REP >> > Kerberos TGS-REQ >> > Kerberos TGS-REP >> > >> > GET /home/home.aspx HTTP/1.1rn >> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >> > >> > HTTP/1.1 200 OKrn >> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... >> > ---------- >> > >> > Question 1: in the OK response, How IIS server generates the >> > WWW-Authenticate header? I thought that It should be the same value >> > that >> > client sends to server >> > >> > in his Authorizaztion header. >> > >> > Let's follow. I press F5 and reload the page. Obiously I don't need to >> > put >> > my login/pwd again and I get the same page. This is the secuence: >> > ---------- >> > GET /home/home.aspx HTTP/1.1rn >> > HTTP/1.1 401 Unauthorizedrn >> > >> > Kerberos AS-REQ >> > Kerberos AS-REP >> > Kerberos TGS-REQ >> > Kerberos TGS-REP >> > >> > Question 2: Why next request, has not a Authorization header and reuse >> > the >> > token? Why it needs to get a new ticket from KDC?? >> > >> > GET /home/home.aspx HTTP/1.1rn >> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >> > >> > HTTP/1.1 200 OKrn >> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... >> > >> > Question 3: Last request/response, has the same headers values than >> > first. >> > It seems that client "reuse" the ticket. But, if this it's true, Why it >> > needs >> > (AS >> > >> > -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the >> > client request is not directly: >> > GET /home/home.aspx HTTP/1.1rn >> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >> > ---------- >> > >> > Any help will be gratefully. >> > Thanks a lot.</span> >> >> </span></span> Quote
Guest Peter Foldes Posted January 3, 2009 Posted January 3, 2009 You need to look. He did already post there as per my link and that newsgroup (microsoft.public.windows.server.security) is violable and busy. And his issue with Kerberos belongs there in the server.security group -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:em76obSbJHA.2620@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > general security discussions = microsoft.public.security? > ...and I don't see microsoft.public.windows.server.security > anywhere. > > Maybe it would be better for you here: > > http://www.microsoft.com/communities/newsg...BA-04767E55A63B > > "lobezno" <lobezno@discussions.microsoft.com> wrote in message > news:63ECC57E-6864-4D13-8D6C-B12C45B089B2@microsoft.com...<span style="color:green"> >> OK. I do it, but one question. Wich group is this?? >> I'm in: http://www.microsoft.com/communities/newsg...us/default.aspx >> then, I select "englishserverswindows serversecuritysecurity general" >> >> Why it's wrong??? you URL has different contents, it's true, but I don't >> know, in wich group I am. >> >> Thanks. >> >> "Peter Foldes" wrote: >><span style="color:darkred"> >>> lobezno >>> >>> You need to repost this to the following newsgroup. This is the wrong newsgroup >>> for >>> this.The newsgroup is windows.server.security >>> >>> On the web: >>> http://www.microsoft.com/communities/newsg...server.security >>> >>> >>> -- >>> Peter >>> >>> Please Reply to Newsgroup for the benefit of others >>> Requests for assistance by email can not and will not be acknowledged. >>> >>> "lobezno" <lobezno@discussions.microsoft.com> wrote in message >>> news:BC6F4478-063D-431B-930E-CFEA98BE89E3@microsoft.com... >>> > Hi, >>> > I need help with Kerberos and Windows integrated security. >>> > >>> > My system is: >>> > All the servers and clients are in the same domain with the same OS: windows >>> > server 2003 Enterprise R2 SP2 >>> > Domain controller, IIS, Client. >>> > Intenet Explorer 6 Sp2 >>> > >>> > I open IE 6 and request a page. The resource is protected (using Windows >>> > Integrated Authentication, with no anonymous allowed). Login screen prompt >>> > me. I put >>> > >>> > a valid login and pwd, and I get the page. This is the secuence: >>> > ---------- >>> > GET /home/home.aspx HTTP/1.1rn >>> > HTTP/1.1 401 Unauthorizedrn >>> > >>> > Kerberos AS-REQ >>> > Kerberos AS-REP >>> > Kerberos TGS-REQ >>> > Kerberos TGS-REP >>> > >>> > GET /home/home.aspx HTTP/1.1rn >>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>> > >>> > HTTP/1.1 200 OKrn >>> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... >>> > ---------- >>> > >>> > Question 1: in the OK response, How IIS server generates the >>> > WWW-Authenticate header? I thought that It should be the same value that >>> > client sends to server >>> > >>> > in his Authorizaztion header. >>> > >>> > Let's follow. I press F5 and reload the page. Obiously I don't need to put >>> > my login/pwd again and I get the same page. This is the secuence: >>> > ---------- >>> > GET /home/home.aspx HTTP/1.1rn >>> > HTTP/1.1 401 Unauthorizedrn >>> > >>> > Kerberos AS-REQ >>> > Kerberos AS-REP >>> > Kerberos TGS-REQ >>> > Kerberos TGS-REP >>> > >>> > Question 2: Why next request, has not a Authorization header and reuse the >>> > token? Why it needs to get a new ticket from KDC?? >>> > >>> > GET /home/home.aspx HTTP/1.1rn >>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>> > >>> > HTTP/1.1 200 OKrn >>> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... >>> > >>> > Question 3: Last request/response, has the same headers values than first. >>> > It seems that client "reuse" the ticket. But, if this it's true, Why it needs >>> > (AS >>> > >>> > -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the >>> > client request is not directly: >>> > GET /home/home.aspx HTTP/1.1rn >>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>> > ---------- >>> > >>> > Any help will be gratefully. >>> > Thanks a lot. >>> >>></span></span> > > </span> Quote
Guest FromTheRafters Posted January 4, 2009 Posted January 4, 2009 I did look, and I wasn't able to 'navigate' there on that webpage. It is however possible to use the 'search' function on that page to access that group. I posted the other webpage because I was able to 'navigate' to the group you posted - just in case he would rather 'navigate' than 'search'. Did you look at the format for navigating on the page I posted, or did you just assume I didn't know what I was talking about? Navigating on the page he uses (given the actual newsgroup name) is awkward - the page I posted is more straightforward. "Peter Foldes" <xxxx@xxxxx.xxx> wrote in message news:etve3FbbJHA.4380@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > You need to look. He did already post there as per my link and that > newsgroup (microsoft.public.windows.server.security) is violable and busy. > And his issue with Kerberos belongs there in the server.security group > > -- > Peter > > Please Reply to Newsgroup for the benefit of others > Requests for assistance by email can not and will not be acknowledged. > > "FromTheRafters" <erratic@nomail.afraid.org> wrote in message > news:em76obSbJHA.2620@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> general security discussions = microsoft.public.security? >> ...and I don't see microsoft.public.windows.server.security >> anywhere. >> >> Maybe it would be better for you here: >> >> http://www.microsoft.com/communities/newsg...BA-04767E55A63B >> >> "lobezno" <lobezno@discussions.microsoft.com> wrote in message >> news:63ECC57E-6864-4D13-8D6C-B12C45B089B2@microsoft.com...<span style="color:darkred"> >>> OK. I do it, but one question. Wich group is this?? >>> I'm in: >>> http://www.microsoft.com/communities/newsg...us/default.aspx >>> then, I select "englishserverswindows serversecuritysecurity >>> general" >>> >>> Why it's wrong??? you URL has different contents, it's true, but I don't >>> know, in wich group I am. >>> >>> Thanks. >>> >>> "Peter Foldes" wrote: >>> >>>> lobezno >>>> >>>> You need to repost this to the following newsgroup. This is the wrong >>>> newsgroup for >>>> this.The newsgroup is windows.server.security >>>> >>>> On the web: >>>> http://www.microsoft.com/communities/newsg...server.security >>>> >>>> >>>> -- >>>> Peter >>>> >>>> Please Reply to Newsgroup for the benefit of others >>>> Requests for assistance by email can not and will not be acknowledged. >>>> >>>> "lobezno" <lobezno@discussions.microsoft.com> wrote in message >>>> news:BC6F4478-063D-431B-930E-CFEA98BE89E3@microsoft.com... >>>> > Hi, >>>> > I need help with Kerberos and Windows integrated security. >>>> > >>>> > My system is: >>>> > All the servers and clients are in the same domain with the same OS: >>>> > windows >>>> > server 2003 Enterprise R2 SP2 >>>> > Domain controller, IIS, Client. >>>> > Intenet Explorer 6 Sp2 >>>> > >>>> > I open IE 6 and request a page. The resource is protected (using >>>> > Windows >>>> > Integrated Authentication, with no anonymous allowed). Login screen >>>> > prompt >>>> > me. I put >>>> > >>>> > a valid login and pwd, and I get the page. This is the secuence: >>>> > ---------- >>>> > GET /home/home.aspx HTTP/1.1rn >>>> > HTTP/1.1 401 Unauthorizedrn >>>> > >>>> > Kerberos AS-REQ >>>> > Kerberos AS-REP >>>> > Kerberos TGS-REQ >>>> > Kerberos TGS-REP >>>> > >>>> > GET /home/home.aspx HTTP/1.1rn >>>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>>> > >>>> > HTTP/1.1 200 OKrn >>>> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... >>>> > ---------- >>>> > >>>> > Question 1: in the OK response, How IIS server generates the >>>> > WWW-Authenticate header? I thought that It should be the same value >>>> > that >>>> > client sends to server >>>> > >>>> > in his Authorizaztion header. >>>> > >>>> > Let's follow. I press F5 and reload the page. Obiously I don't need >>>> > to put >>>> > my login/pwd again and I get the same page. This is the secuence: >>>> > ---------- >>>> > GET /home/home.aspx HTTP/1.1rn >>>> > HTTP/1.1 401 Unauthorizedrn >>>> > >>>> > Kerberos AS-REQ >>>> > Kerberos AS-REP >>>> > Kerberos TGS-REQ >>>> > Kerberos TGS-REP >>>> > >>>> > Question 2: Why next request, has not a Authorization header and >>>> > reuse the >>>> > token? Why it needs to get a new ticket from KDC?? >>>> > >>>> > GET /home/home.aspx HTTP/1.1rn >>>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>>> > >>>> > HTTP/1.1 200 OKrn >>>> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... >>>> > >>>> > Question 3: Last request/response, has the same headers values than >>>> > first. >>>> > It seems that client "reuse" the ticket. But, if this it's true, Why >>>> > it needs >>>> > (AS >>>> > >>>> > -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, >>>> > the >>>> > client request is not directly: >>>> > GET /home/home.aspx HTTP/1.1rn >>>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>>> > ---------- >>>> > >>>> > Any help will be gratefully. >>>> > Thanks a lot. >>>> >>>></span> >> >></span> > </span> Quote
Guest Peter Foldes Posted January 4, 2009 Posted January 4, 2009 I am using OE as the newsreader. If I put in server.security in the newsgroups search field then the group pops up for me. As far as the OP goes ,he posted there and got his reply and was happy. I never assumed that you do not know what you are talking about but on the contrary I do know that you do. I was simply pointing out that the newsgroup is accessible by going through the Web ady. I was assuming that the OP is not using a newsreader since he posted through that awful Web Interface and I gave him a direct access to the correct newsgroup -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:utZfsHgbJHA.4480@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> >I did look, and I wasn't able to 'navigate' there on that webpage. > It is however possible to use the 'search' function on that page to > access that group. > > I posted the other webpage because I was able to 'navigate' to > the group you posted - just in case he would rather 'navigate' > than 'search'. > > Did you look at the format for navigating on the page I posted, > or did you just assume I didn't know what I was talking about? > > Navigating on the page he uses (given the actual newsgroup name) > is awkward - the page I posted is more straightforward. > > "Peter Foldes" <xxxx@xxxxx.xxx> wrote in message > news:etve3FbbJHA.4380@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> You need to look. He did already post there as per my link and that newsgroup >> (microsoft.public.windows.server.security) is violable and busy. And his issue >> with Kerberos belongs there in the server.security group >> >> -- >> Peter >> >> Please Reply to Newsgroup for the benefit of others >> Requests for assistance by email can not and will not be acknowledged. >> >> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message >> news:em76obSbJHA.2620@TK2MSFTNGP02.phx.gbl...<span style="color:darkred"> >>> general security discussions = microsoft.public.security? >>> ...and I don't see microsoft.public.windows.server.security >>> anywhere. >>> >>> Maybe it would be better for you here: >>> >>> http://www.microsoft.com/communities/newsg...BA-04767E55A63B >>> >>> "lobezno" <lobezno@discussions.microsoft.com> wrote in message >>> news:63ECC57E-6864-4D13-8D6C-B12C45B089B2@microsoft.com... >>>> OK. I do it, but one question. Wich group is this?? >>>> I'm in: http://www.microsoft.com/communities/newsg...us/default.aspx >>>> then, I select "englishserverswindows serversecuritysecurity general" >>>> >>>> Why it's wrong??? you URL has different contents, it's true, but I don't >>>> know, in wich group I am. >>>> >>>> Thanks. >>>> >>>> "Peter Foldes" wrote: >>>> >>>>> lobezno >>>>> >>>>> You need to repost this to the following newsgroup. This is the wrong >>>>> newsgroup for >>>>> this.The newsgroup is windows.server.security >>>>> >>>>> On the web: >>>>> http://www.microsoft.com/communities/newsg...server.security >>>>> >>>>> >>>>> -- >>>>> Peter >>>>> >>>>> Please Reply to Newsgroup for the benefit of others >>>>> Requests for assistance by email can not and will not be acknowledged. >>>>> >>>>> "lobezno" <lobezno@discussions.microsoft.com> wrote in message >>>>> news:BC6F4478-063D-431B-930E-CFEA98BE89E3@microsoft.com... >>>>> > Hi, >>>>> > I need help with Kerberos and Windows integrated security. >>>>> > >>>>> > My system is: >>>>> > All the servers and clients are in the same domain with the same OS: windows >>>>> > server 2003 Enterprise R2 SP2 >>>>> > Domain controller, IIS, Client. >>>>> > Intenet Explorer 6 Sp2 >>>>> > >>>>> > I open IE 6 and request a page. The resource is protected (using Windows >>>>> > Integrated Authentication, with no anonymous allowed). Login screen prompt >>>>> > me. I put >>>>> > >>>>> > a valid login and pwd, and I get the page. This is the secuence: >>>>> > ---------- >>>>> > GET /home/home.aspx HTTP/1.1rn >>>>> > HTTP/1.1 401 Unauthorizedrn >>>>> > >>>>> > Kerberos AS-REQ >>>>> > Kerberos AS-REP >>>>> > Kerberos TGS-REQ >>>>> > Kerberos TGS-REP >>>>> > >>>>> > GET /home/home.aspx HTTP/1.1rn >>>>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>>>> > >>>>> > HTTP/1.1 200 OKrn >>>>> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... >>>>> > ---------- >>>>> > >>>>> > Question 1: in the OK response, How IIS server generates the >>>>> > WWW-Authenticate header? I thought that It should be the same value that >>>>> > client sends to server >>>>> > >>>>> > in his Authorizaztion header. >>>>> > >>>>> > Let's follow. I press F5 and reload the page. Obiously I don't need to put >>>>> > my login/pwd again and I get the same page. This is the secuence: >>>>> > ---------- >>>>> > GET /home/home.aspx HTTP/1.1rn >>>>> > HTTP/1.1 401 Unauthorizedrn >>>>> > >>>>> > Kerberos AS-REQ >>>>> > Kerberos AS-REP >>>>> > Kerberos TGS-REQ >>>>> > Kerberos TGS-REP >>>>> > >>>>> > Question 2: Why next request, has not a Authorization header and reuse the >>>>> > token? Why it needs to get a new ticket from KDC?? >>>>> > >>>>> > GET /home/home.aspx HTTP/1.1rn >>>>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>>>> > >>>>> > HTTP/1.1 200 OKrn >>>>> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA...... >>>>> > >>>>> > Question 3: Last request/response, has the same headers values than first. >>>>> > It seems that client "reuse" the ticket. But, if this it's true, Why it >>>>> > needs >>>>> > (AS >>>>> > >>>>> > -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the >>>>> > client request is not directly: >>>>> > GET /home/home.aspx HTTP/1.1rn >>>>> > [truncated] Authorization: Negotiate YIIEnQYGKw...... >>>>> > ---------- >>>>> > >>>>> > Any help will be gratefully. >>>>> > Thanks a lot. >>>>> >>>>> >>> >>></span> >></span> > > </span> Quote
Guest FromTheRafters Posted January 4, 2009 Posted January 4, 2009 "Peter Foldes" <xxxx@xxxxx.xxx> wrote in message news:e2%23xe%23gbJHA.2620@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> >I am using OE as the newsreader. If I put in server.security in the >newsgroups search field then the group pops up for me. > As far as the OP goes ,he posted there and got his reply and was happy. I > never assumed that you do not know what you are talking about but on the > contrary I do know that you do. I was simply pointing out that the > newsgroup is accessible by going through the Web ady. I was assuming that > the OP is not using a newsreader since he posted through that awful Web > Interface and I gave him a direct access to the correct newsgroup</span> Thanks Peter. IMO these web to usenet gateways are ruining the newsgroup experience. Especially the "forums" that populate themselves with usenet posts so as to appear active. Some people are unfortuneately restricted to typing with a mouse and an on- screen keyboard which makes 'navigating' far superior to typing addresses or names like newsgroups have into a search box. The webpage the OP was using was not too good for that. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.