Could you please share a more detailed error message about the issue?
Since the problem can be various, e.g. bad modules for "ManagedPipelineHandler" or "IsapiModule", it is recommended that you post the screenshot/text for error messages so that we could narrow down the problem.
Thank you for understanding.
Best regards,
Sean
ASP.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
I can see that the error code is 401.2 which means that your server and the browser are following 2 different authentication protocols. The problem is due to the configuration of the authentication settings within IIS.
ASP.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
The webmaster has enabled ntlm negotiate. I did login through the site via ntlm negotiate.
Yes I am trying to proxy through the server, is there any workaround?
Sean Fang
Hi alvinoo,
I can see that the error code is 401.2 which means that your server and the browser are following 2 different authentication protocols. The problem is due to the configuration of the authentication settings within IIS.
Negotiate authentication automatically selects between the Kerberos protocol and NTLM authentication, depending on availability. The Kerberos protocol is used if it is available; otherwise, NTLM is tried. Kerberos authentication significantly
improves upon NTLM. Kerberos authentication is both faster than NTLM and allows the use of mutual authentication and delegation of credentials to remote machines.
NT LAN Manager (NTLM) authentication is a challenge-response scheme that is a securer variation of Digest authentication. NTLM uses Windows credentials to transform the challenge data instead of the unencoded user name and password.
NTLM authentication requires multiple exchanges between the client and server. The server and any intervening proxies must support persistent connections to successfully complete the authentication.
If you want to identify which cause the problem, you could use a capture tool (such as fiddler or wireshark) to check the differences between them.
However, the problem is that a proxy might not understand the NTLM correctly over HTTP/HTTPS. Integrated Authentication (NTLM) is a connection-based authentication protocol, meaning that an authenticated connection between a client and server is the
only proof of authenticity. This works fine in Intranet scenarios, but for Internet scenarios a lot of network devices in between the client and server can either not support or mishandle NTLM (such as Proxy Server connection pooling/multiplexing), causing
unexpected 401.2.
Suggestions:
I think there are two options for resolving this 401.2 error.
Change the NTLM to another proper authentication, e.g. Kerberos.
Use a proxy server which supports the persistent connections.
ASP.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
Can I clarify that the application if the user is using NTLM authentication on the windows, the user will not be logged out unless the user logs out completely?
None
0 Points
12 Posts
Web Application Testing
Aug 25, 2020 01:06 AM|alvinoo|LINK
Hi there,
I am working on a web application running on IIS Web Core.
The details error info is IIS Web Core
Notification is Authentication Request
The handler is PAge HnadelrFactory-ISAPI-4.0_64bits.
The problem is I can't replay the request through Firefox Edit and Resend.
Please advise.
Contributor
2990 Points
880 Posts
Re: Web Application Testing
Aug 25, 2020 01:59 AM|Sean Fang|LINK
Hi alvinoo,
Could you please share a more detailed error message about the issue?
Since the problem can be various, e.g. bad modules for "ManagedPipelineHandler" or "IsapiModule", it is recommended that you post the screenshot/text for error messages so that we could narrow down the problem.
Thank you for understanding.
Best regards,
Sean
None
0 Points
12 Posts
Re: Web Application Testing
Aug 25, 2020 02:20 AM|alvinoo|LINK
Hi there,
Please refer to the above images.
https://imgur.com/a/zjHVsKC
Contributor
2990 Points
880 Posts
Re: Web Application Testing
Aug 25, 2020 07:31 AM|Sean Fang|LINK
Hi alvinoo,
I can see that the error code is 401.2 which means that your server and the browser are following 2 different authentication protocols. The problem is due to the configuration of the authentication settings within IIS.
There is an explicit resolution for this error code: Error Message: HTTP 401.2 - Unauthorized: Logon Failed Due to Server Configuration with No Authentication
Casue:
The authentication methods that were tried are either disabled, or you are attempting to use NTLM through a proxy server.
Resolution:
To resolve this problem, enable at least one authentication method. To do this, follow these steps:
You could also Open IIS Manager (IIS 7) from the Search box: a) Click Start. b) In the Start Search box, type inetmgr and press ENTER.
Related Links:
https://support.microsoft.com/en-us/help/253667/error-message-http-401.2---unauthorized-logon-failed-due-to-server-configuration-with-no-authentication
https://technet.microsoft.com/en-us/library/cc771077(v=ws.10).aspx
http://stackoverflow.com/questions/6033878/web-site-configuration
Hope this can help you.
Best regards,
Sean
None
0 Points
12 Posts
Re: Web Application Testing
Aug 25, 2020 07:36 AM|alvinoo|LINK
Hi Sean
The webmaster has enabled ntlm negotiate. I did login through the site via ntlm negotiate.
Yes I am trying to proxy through the server, is there any workaround?
None
0 Points
12 Posts
Re: Web Application Testing
Aug 26, 2020 02:47 AM|alvinoo|LINK
Hi there,
Seperately I want to ask:
runas /user:domain.com\user01 “C:\Program Files\Internet Explorer\iexplore.exe“
If I were to run the following is it the same as enter the username and password in the browser when there is a pop up
Contributor
2990 Points
880 Posts
Re: Web Application Testing
Aug 26, 2020 10:14 AM|Sean Fang|LINK
Hi alvinoo,
It is a bit complicated so that you probably will feel below content is too much.
First of all, the negotiate and NTLM are different authentications.
In short, Negotiate = Kerberos = Ticket and NTLM = Username & Password.
Explanation from Document:
Negotiate authentication automatically selects between the Kerberos protocol and NTLM authentication, depending on availability. The Kerberos protocol is used if it is available; otherwise, NTLM is tried. Kerberos authentication significantly improves upon NTLM. Kerberos authentication is both faster than NTLM and allows the use of mutual authentication and delegation of credentials to remote machines.
NT LAN Manager (NTLM) authentication is a challenge-response scheme that is a securer variation of Digest authentication. NTLM uses Windows credentials to transform the challenge data instead of the unencoded user name and password. NTLM authentication requires multiple exchanges between the client and server. The server and any intervening proxies must support persistent connections to successfully complete the authentication.
If you want to identify which cause the problem, you could use a capture tool (such as fiddler or wireshark) to check the differences between them.
You could follow this if you have interest: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/08/02/Two-easy-_2800_easier_3F002900_-ways-to-determine-Kerberos-from-NTLM-in-a-HTTP-capture.aspx
Reason => NTLM with proxy
However, the problem is that a proxy might not understand the NTLM correctly over HTTP/HTTPS. Integrated Authentication (NTLM) is a connection-based authentication protocol, meaning that an authenticated connection between a client and server is the only proof of authenticity. This works fine in Intranet scenarios, but for Internet scenarios a lot of network devices in between the client and server can either not support or mishandle NTLM (such as Proxy Server connection pooling/multiplexing), causing unexpected 401.2.
Suggestions:
I think there are two options for resolving this 401.2 error.
Related:
https://forums.iis.net/t/1205693.aspx
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/understanding-http-authentication
Hope this can help you.
Best regards,
Sean
None
0 Points
12 Posts
Re: Web Application Testing
Sep 21, 2020 08:41 AM|alvinoo|LINK
Hi Sean,
I have managed to proxy the NTLM authentication.
Can I clarify that the application if the user is using NTLM authentication on the windows, the user will not be logged out unless the user logs out completely?