开发者

AuthenticationType Negotiate vs NTLM

I have the same code base used on 2 different sites hosted on the same server (IIS 7.5).

For some reason, when I check the Identity.AuthenticationType property on the code behind of an http handler I see NTLM for 1 site and Negotiate for the other. This is causing some problems and I need both of them to use NTLM.

Could you help me to figure out why this difference? So far I see both IIS sites are configured on the same way but of course there is at least 1 difference that I couldn't detect. Thanks!

EDIT

I've used this link that provides instructions to remove "Negotiate" provider from IIS. It didn't work for me. I executed

appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost

Maybe I did something wrong, but it didn't help. I still see "Negotiate" as AuthenticationType

The problem I have is that I'm setting on web.config impersonation credentials but it's not using them. Instead of using credentials I provide, 开发者_开发技巧it uses the anonymous user.

And something weird is that windowsAuthentication is disabled. I thought "Negotiate" was only used by windowsAuthentication.


Negotiate will choose either Ntlm or Kerberos authentication internally. If the site says Ntlm only Ntlm authentication would be choosen. Please check both the site and make the authentication has same.


Windows Authentication will need to be enabled and Anonymous Authentication disabled to get the logged in user (I am assuming here that you are on authenticating on a domain and don't want to fall back to an anonymous user if the user doesn't have authorised credentials using windows auth).

In IIS7.5, to see the providers being used, click on Authentication, right-click on Windows Authentication and select providers. You will have a list of enabled providers, the order is important. Try making sure they are both the same (in your case have NTLM at the top of the list).

Sorry for the late response!


First thing to check is if there is a difference between the authentication types that are enabled for each site.

By default only anonymous is enabled.


If your version of Internet Information Server (IIS) is 7.0 take a look in the <%SystemDrive%>/Windows/System32/inetsrv/config/ApplicationHost.config file for a section like this:

<system.webServer> 
    <security> 
        <authentication> 
            <windowsAuthentication enabled="false">
                <providers>
                    <add value="Negotiate" />
                    <add value="NTLM" />
                </providers>
            </windowsAuthentication>
        </authentication> 
    </security> 
</system.webServer>

The documentation for Windows Authentication Providers may provide more detail.

The Remove NEGOTIATE from WindowsAuthentication in IIS question provides instructions for removing Negotiate which I found helpful when I was trying to re-enable Negotiate.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜