[thelist] asp.net NTLM authentication fails on postback?

Scott Dexter dexilalolai at yahoo.com
Wed Jun 8 10:34:24 CDT 2005

> : Integrated Windows Auth is turned on;
> :     <authentication mode="Windows" /> in the web.config
> This, by itself, doesn't enable any sort of authentication at all.
> This just
> means that the user needs to present valid Window credentials in
> order to
> access the page. The type of authentication mechanism used (NTLM,
> Kerberos,
> Basic, Digest etc) is determined by what is set in the IIS
> Metabase. You can
> enable these various authentication mechanisms via the IIS Manager.

Fair enough. All I know is it's failing.

I just found out we're using Kerberos (not that I think it matters)

> : 
> : The user is prompted with the login challenge message box, and
> after
> : three tries IIS fails the login, user gets a 403

*** Correction, it's a 401.1. Sorry

> Is this an IIS 6 box? Can you please post the corresponding log
> file entries?
> That will give us the HTTP substatus codes which help us determine
> why the
> user is being denied access.

Trying to get the log files (sigh)

> If you check out:
> www.adopenstatic.com/faq/IISRequestProcessing.aspx
> you can see that there's a fair number of reasons why you can get
> up with a
> 403

Great flowchart, bookmarked (thank you)

> >From the information presented, I don't think that's a conclusion
> you can
> draw. There seems to be a fair amount of confusion here already
> about what is
> actually enabled and being used. Let's no confuse it by dragging in

Well, regardless of what's actually being enabled, something is awry:

1) User supplies credentials, gains access to the page
2) User causes a postback of that page, credentials fail
3) User has access to other secured pages on the site

I'm not sure how Kerberos vs plain text vs MD5 authentication would
make a difference here?


More information about the thelist mailing list