ASP.NET Web Application -> Windows Authentication -> IIS Express -> Kerberos or NTLM?
Question
Creating a new ASP.NET Web Application with Windows Authentication the description only says "For intranet applications". The Learn more link leads to the site below:
Description there is the following:
Windows Authentication
If you select Windows Authentication, the sample application will be configured to use the Windows Authentication IIS module for authentication. The application will display the domain and user ID of the Active directory or local machine account that is logged into Windows but won't include user registration or log-in UI. This option is intended for Intranet web sites.
Alternatively, you can create an Intranet site that uses AD authentication by choosing the On-Premises option under Organizational Accounts. The On-Premises option uses Windows Identity Foundation (WIF) instead of the Windows Authentication module. Some additional steps are required in order to set up the On-Premises option, but WIF enables features that aren't available with the Windows Authentication module. For example, with WIF you can configure application access in Active Directory and query directory data.
However what I can't find out is whether the solution uses NTLM or Kerberos authentication? Also is there some way that I can toggle this in IIS Express? I tried to look at the requests in Chrome network tab but I did not get any information from there.
2 answers
solution1
0 2018-02-10 00:04:15
This is a bit ugly, but if you read the first response Authorization: Negotiate header,
YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4gkACQA3AAAADwAPACgAAAAKANc6AAAAD0RFU0tUT1AtSEFLR0xTQldPUktHUk9VUA==
Convert to ASCII and if it contains NTLMSSP , then it is NTLM. Like this...
`?? + ?x0v?00.
+ ?7
*?H?? *?H??
+ ?7 ?B @NTLMSSP ?? ? 7 (
?: DESKTOP-HAKGLSBWORKGROUP
solution2
-1 ACCPTED 2018-02-09 21:42:50
I ended up using Fiddler to look at the requests and from there I could see that it was NTLM due to the extra round trip to authenticate the client.
I did not find any good way to enable Kerberos for IIS Express but using the normal IIS you can follow this guide:
Authentication flow:
Request:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
Response:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 6137
Proxy-Support: Session-Based-Authentication
Request 2:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Authorization: Negotiate YIGCBgYrBgEFBQKgeDB2oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQgRATlRMTVNTUAABAAAAl7II4gkACQA3AAAADwAPACgAAAAKANc6AAAAD0RFU0tUT1AtSEFLR0xTQldPUktHUk9VUA==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
Response 2:
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate oYIBCzCCAQegAwoBAaEMBgorBgEEAYI3AgIKooHxBIHuTlRMTVNTUAACAAAAHgAeADgAAAAVworiD/awyYeVbOYA0680pgIAAJgAmABWAAAACgDXOgAAAA9EAEUAUwBLAFQATwBQAC0ASABBAEsARwBMAFMAQgACAB4ARABFAFMASwBUAE8AUAAtAEgAQQBLAEcATABTAEIAAQAeAEQARQBTAEsAVABPAFAALQBIAEEASwBHAEwAUwBCAAQAHgBEAEUAUwBLAFQATwBQAC0ASABBAEsARwBMAFMAQgADAB4ARABFAFMASwBUAE8AUAAtAEgAQQBLAEcATABTAEIABwAIADPF56zsodMBAAAAAA==
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 341
Proxy-Support: Session-Based-Authentication
Request 3:
GET http://localhost:44388/ HTTP/1.1
Host: localhost:44388
Connection: keep-alive
Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAABXCiOIKANc6AAAAD2wKVsUToYhrt08pUPhmI2WjEgQQAQAAAGDLpB1QQ6YlAAAAAA==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7
Response 3:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAACHgwE6ErQtUAAAAAA=
Date: Fri, 09 Feb 2018 21:26:40 GMT
Content-Length: 397
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.