IIS 6 authentication problem from iPad mobile Safari browser

Posted on 2010-09-02
Last Modified: 2012-05-10
I have an intranet site running on SBS 2003.  Authentication used is IWA.  The site also has a public IP assigned to it so users can connect over the internet by providing their usernames and passwords when prompted.  The problem we are seeing is when a user tries to connect to the site via iPad mobile Safari.  The user is intermittently prompted to enter credentials repeatedly even though authentication has already been successfully completed. The frequency of the prompts is fairly random, sometimes allowing them to use the site uninterrupted for 15-20 minutes and other times prompting at nearly every request to the server.  This is obviously very frustrating.

I have already tried a few things but nothing seems to be working.  I tried updating the value of AuthPersistSingleRequest to false so that the authentication would not be required with every single request.  I tried enabling Basic Authentication (over SSL) because I'd read that there might be issues with the NTLM handshake.  I'm not sure exactly what is the problem here.

Looking at the IIS 6 logs I do see a number of 401 errors logged, but strangely these get logged even when the requests are successful.  I imagine that has to do with there being an attempt to authenticate anonymously first before passing the credentials.  I usually in these cases see a 401.2 followed by a 401.1 and then a 200 status code.

I would like to leave IWA enabled if possible because the users on the LAN should not need to prompted for credentials when they are already logged in to the domain.  Any suggestions or referrals to resources on this matter would be greatly appreciated.

Question by:jartef
  • 4
  • 2
LVL 17

Expert Comment

ID: 33603490
To get moe of an understanding of what is happening with the handshake with 401 have a look at david wang ex-iis staff article here:

Wha do your IIS logs say?

Author Comment

ID: 33603649
Thanks for the link. I am unable to access my logs right now but will do so soon and get back to you.

Author Comment

ID: 33610636
As I mentioned above, my IIS logs frequently show a 401.2 followed by a 401.1 even when all works fine without prompting for re-authentication.  What I did notice is that when it seems to work the 401.2 has a win32 status code of 2148074254, which from what I gather means 'logon failed due to server configuration'.  I believe that these items in the log simply indicate that any initial attempt to serve the request  using the disabled anonymous account would fail.  These cases are usually followed by a status code of 200 and the user is not prompted to re-authenticate.  

Narrowing down the log to the specific requests that did seem to re-prompt for authentication I am seeing a 401.2 with a win32 status of 1236 which seems to indicate that the network connection was somehow aborted.  It seems that the ipad is in this case having trouble persisting the connection and is thus requiring a new authentication.  I thought that setting the AuthPersistSingleRequest metabase value to false would handle this problem but perhaps I am misunderstanding what this value means. A technet article I read states that this setting is only honored when the following two conditions are met: Integrated Windows authentication is set to NTLM and Integrated Windows authentication is set to Negotiate, and NTLM authentication is used.  I am not exactly sure how to verify that these statements are true.

I suppose another solution would be to somehow use cookies to store the session data and check whether the user has already been authenticated but I am not sure how to use this method in conjunction with IWA and NTLM.  Is it possible to specify different modes of authentication or different directory security altogether based on whether the user has connected to the page over the intranet or from the internet?  I do have an SSL certificate and can pretty safely use basic authentication over the internet, but I do not want to lose integrated authentication for intranet users.  Then again I am not really sure that switching to basic auth would persist if it appeared that the connection had been reset.

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

LVL 17

Accepted Solution

Rovastar earned 500 total points
ID: 33626172
It could be the browser that iPad uses. Can you use another browser?

Normally you have a 401.1 with the win32 status error code of 2148074254

1236  are liklely networking issues so for that it maybe be dependant on your network/service provider contentions.

Does it work via wireless and not mobile internet connection? Does iPad even have wireless I don't know but that way you can remove the accelerated complexity of all these different factors.

A packet sniffer also will tell you more about what is occurring. You can see if the ipad client is sending the correct traffic to you.

Author Comment

ID: 33627922
While there are some 3rd party browsers currently available on the iPad, they are not really a viable option at this point.

I am definitely seeing the 2148074254 win32 status with 401.2, but as I said that seems to happen all the time even when connecting from browsers that are not having the reauthentication issue.  From what I gather this is not part of the problem but is normal behavior when the browser initially attempts an anonymous connection for the request.  

I do understand that the 1236 is a network issue and I can confirm that the problem is less prevalent when connecting over wifi than when connecting via 3G.  Basically I assume that there is a momentary drop in the connection between the ipad client and the web server and thus the server assumes that there is a new connection which requires reauthentication.  I think that this is just a fact of life given the nature of the device.  

I guess what I am looking for is some way to force IIS to recognize that the re-established connection from the same device should re-use the authentication that had already been provided.  The best method that I could come up with to accomplish this would be to allow for basic authentication over SSL where the encrypted credentials could just be passed along with the request each time.  What I am not sure of is how to best configure basic authentication to run alongside IWA or how to restrict basic authentication to only be permissible over SSL.  I want to be able to force basic auth over SSL whenever a connection to IIS is initiated over the internet and keep IWA available to local traffic to IIS.  

Author Closing Comment

ID: 33775279
What wound up working in the end was to accept basic authentication over SSL and pass around the credentials with all of the http requests.  Never quite did determine why the iPad browser has such a hard time maintaining state with NTLM auth to IIS but the above workaround is suiting us fine.  Comments from Rovastar definitely helped point me in some educational directions regarding this matter so I am awarding points even though the question at hand never was really answered.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question