Solved

IIS 6 authentication problem from iPad mobile Safari browser

Posted on 2010-09-02
6
5,436 Views
Last Modified: 2012-05-10
I have an intranet site running on SBS 2003.  Authentication used is IWA.  The site also has a public IP assigned to it so users can connect over the internet by providing their usernames and passwords when prompted.  The problem we are seeing is when a user tries to connect to the site via iPad mobile Safari.  The user is intermittently prompted to enter credentials repeatedly even though authentication has already been successfully completed. The frequency of the prompts is fairly random, sometimes allowing them to use the site uninterrupted for 15-20 minutes and other times prompting at nearly every request to the server.  This is obviously very frustrating.

I have already tried a few things but nothing seems to be working.  I tried updating the value of AuthPersistSingleRequest to false so that the authentication would not be required with every single request.  I tried enabling Basic Authentication (over SSL) because I'd read that there might be issues with the NTLM handshake.  I'm not sure exactly what is the problem here.

Looking at the IIS 6 logs I do see a number of 401 errors logged, but strangely these get logged even when the requests are successful.  I imagine that has to do with there being an attempt to authenticate anonymously first before passing the credentials.  I usually in these cases see a 401.2 followed by a 401.1 and then a 200 status code.

I would like to leave IWA enabled if possible because the users on the LAN should not need to prompted for credentials when they are already logged in to the domain.  Any suggestions or referrals to resources on this matter would be greatly appreciated.

Thanks,
Anthony
0
Comment
Question by:jartef
  • 4
  • 2
6 Comments
 
LVL 17

Expert Comment

by:Rovastar
ID: 33603490
To get moe of an understanding of what is happening with the handshake with 401 have a look at david wang ex-iis staff article here:

http://blogs.msdn.com/b/david.wang/archive/2005/07/14/howto-diagnose-iis-401-access-denied.aspx

Wha do your IIS logs say?
0
 

Author Comment

by:jartef
ID: 33603649
Thanks for the link. I am unable to access my logs right now but will do so soon and get back to you.
0
 

Author Comment

by:jartef
ID: 33610636
As I mentioned above, my IIS logs frequently show a 401.2 followed by a 401.1 even when all works fine without prompting for re-authentication.  What I did notice is that when it seems to work the 401.2 has a win32 status code of 2148074254, which from what I gather means 'logon failed due to server configuration'.  I believe that these items in the log simply indicate that any initial attempt to serve the request  using the disabled anonymous account would fail.  These cases are usually followed by a status code of 200 and the user is not prompted to re-authenticate.  

Narrowing down the log to the specific requests that did seem to re-prompt for authentication I am seeing a 401.2 with a win32 status of 1236 which seems to indicate that the network connection was somehow aborted.  It seems that the ipad is in this case having trouble persisting the connection and is thus requiring a new authentication.  I thought that setting the AuthPersistSingleRequest metabase value to false would handle this problem but perhaps I am misunderstanding what this value means. A technet article I read states that this setting is only honored when the following two conditions are met: Integrated Windows authentication is set to NTLM and Integrated Windows authentication is set to Negotiate, and NTLM authentication is used.  I am not exactly sure how to verify that these statements are true.

I suppose another solution would be to somehow use cookies to store the session data and check whether the user has already been authenticated but I am not sure how to use this method in conjunction with IWA and NTLM.  Is it possible to specify different modes of authentication or different directory security altogether based on whether the user has connected to the page over the intranet or from the internet?  I do have an SSL certificate and can pretty safely use basic authentication over the internet, but I do not want to lose integrated authentication for intranet users.  Then again I am not really sure that switching to basic auth would persist if it appeared that the connection had been reset.


 
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Accepted Solution

by:
Rovastar earned 500 total points
ID: 33626172
It could be the browser that iPad uses. Can you use another browser?

Normally you have a 401.1 with the win32 status error code of 2148074254

1236  are liklely networking issues so for that it maybe be dependant on your network/service provider contentions.

Does it work via wireless and not mobile internet connection? Does iPad even have wireless I don't know but that way you can remove the accelerated complexity of all these different factors.

A packet sniffer also will tell you more about what is occurring. You can see if the ipad client is sending the correct traffic to you.
0
 

Author Comment

by:jartef
ID: 33627922
While there are some 3rd party browsers currently available on the iPad, they are not really a viable option at this point.

I am definitely seeing the 2148074254 win32 status with 401.2, but as I said that seems to happen all the time even when connecting from browsers that are not having the reauthentication issue.  From what I gather this is not part of the problem but is normal behavior when the browser initially attempts an anonymous connection for the request.  

I do understand that the 1236 is a network issue and I can confirm that the problem is less prevalent when connecting over wifi than when connecting via 3G.  Basically I assume that there is a momentary drop in the connection between the ipad client and the web server and thus the server assumes that there is a new connection which requires reauthentication.  I think that this is just a fact of life given the nature of the device.  

I guess what I am looking for is some way to force IIS to recognize that the re-established connection from the same device should re-use the authentication that had already been provided.  The best method that I could come up with to accomplish this would be to allow for basic authentication over SSL where the encrypted credentials could just be passed along with the request each time.  What I am not sure of is how to best configure basic authentication to run alongside IWA or how to restrict basic authentication to only be permissible over SSL.  I want to be able to force basic auth over SSL whenever a connection to IIS is initiated over the internet and keep IWA available to local traffic to IIS.  
0
 

Author Closing Comment

by:jartef
ID: 33775279
What wound up working in the end was to accept basic authentication over SSL and pass around the credentials with all of the http requests.  Never quite did determine why the iPad browser has such a hard time maintaining state with NTLM auth to IIS but the above workaround is suiting us fine.  Comments from Rovastar definitely helped point me in some educational directions regarding this matter so I am awarding points even though the question at hand never was really answered.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now