|
Posted by Peter Foldes on January 3, 2009, 9:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
(microsoft.public.windows.server.security) is violable and busy. And his issue
with
Kerberos belongs there in the server.security group
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
> general security discussions = microsoft.public.security?
> ...and I don't see microsoft.public.windows.server.security
> anywhere.
>
> Maybe it would be better for you here:
>
>
http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?guid=1A61081E-1F66-5F7F-B5BA-04767E55A63B
>
>> OK. I do it, but one question. Wich group is this??
>> I'm in: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> then, I select "english\servers\windows server\security\security general"
>>
>> Why it's wrong??? you URL has different contents, it's true, but I don't
>> know, in wich group I am.
>>
>> Thanks.
>>
>> "Peter Foldes" wrote:
>>
>>> lobezno
>>>
>>> You need to repost this to the following newsgroup. This is the wrong
newsgroup
>>> for
>>> this.The newsgroup is windows.server.security
>>>
>>> On the web:
>>>
http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.server.security
>>>
>>>
>>> --
>>> Peter
>>>
>>> Please Reply to Newsgroup for the benefit of others
>>> Requests for assistance by email can not and will not be acknowledged.
>>>
>>> > Hi,
>>> > I need help with Kerberos and Windows integrated security.
>>> >
>>> > My system is:
>>> > All the servers and clients are in the same domain with the same OS:
windows
>>> > server 2003 Enterprise R2 SP2
>>> > Domain controller, IIS, Client.
>>> > Intenet Explorer 6 Sp2
>>> >
>>> > I open IE 6 and request a page. The resource is protected (using Windows
>>> > Integrated Authentication, with no anonymous allowed). Login screen prompt
>>> > me. I put
>>> >
>>> > a valid login and pwd, and I get the page. This is the secuence:
>>> > ----------
>>> > GET /home/home.aspx HTTP/1.1\r\n
>>> > HTTP/1.1 401 Unauthorized\r\n
>>> >
>>> > Kerberos AS-REQ
>>> > Kerberos AS-REP
>>> > Kerberos TGS-REQ
>>> > Kerberos TGS-REP
>>> >
>>> > GET /home/home.aspx HTTP/1.1\r\n
>>> > [truncated] Authorization: Negotiate YIIEnQYGKw......
>>> >
>>> > HTTP/1.1 200 OK\r\n
>>> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA......
>>> > ----------
>>> >
>>> > Question 1: in the OK response, How IIS server generates the
>>> > WWW-Authenticate header? I thought that It should be the same value that
>>> > client sends to server
>>> >
>>> > in his Authorizaztion header.
>>> >
>>> > Let's follow. I press F5 and reload the page. Obiously I don't need to put
>>> > my login/pwd again and I get the same page. This is the secuence:
>>> > ----------
>>> > GET /home/home.aspx HTTP/1.1\r\n
>>> > HTTP/1.1 401 Unauthorized\r\n
>>> >
>>> > Kerberos AS-REQ
>>> > Kerberos AS-REP
>>> > Kerberos TGS-REQ
>>> > Kerberos TGS-REP
>>> >
>>> > Question 2: Why next request, has not a Authorization header and reuse the
>>> > token? Why it needs to get a new ticket from KDC??
>>> >
>>> > GET /home/home.aspx HTTP/1.1\r\n
>>> > [truncated] Authorization: Negotiate YIIEnQYGKw......
>>> >
>>> > HTTP/1.1 200 OK\r\n
>>> > [truncated] WWW-Authenticate: Negotiate oYGfMIGcoA......
>>> >
>>> > Question 3: Last request/response, has the same headers values than first.
>>> > It seems that client "reuse" the ticket. But, if this it's true, Why it
needs
>>> > (AS
>>> >
>>> > -REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the
>>> > client request is not directly:
>>> > GET /home/home.aspx HTTP/1.1\r\n
>>> > [truncated] Authorization: Negotiate YIIEnQYGKw......
>>> > ----------
>>> >
>>> > Any help will be gratefully.
>>> > Thanks a lot.
>>>
>>>
>
>
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map