On 19/11/2011 8:53 a.m., Øyvind Haddal wrote:
Amos,
I am having this issue on all sites with this type of authentication
(Windows security popup box), it's not specifically related to one
site.
Well, I'm sad to have to say this but be prepared for it never to work.
This is a problem caused in one way or another by NTLM violating the
HTTP standards and assuming things about the network that are simply not
true once you go from a highly controlled MS-centric LAN to the
Internet, (simple assumptions like TCP connections are always packets
from the same user, which is not even true in LAN).
That you had it working for XP is a good sign that it might be able to
be hacked up for Windows7.
Have tested with Wireshark when accessing one of our Sharepoint sites
with both Windows XP and 7, here's how the communication goes;
Step 1. HTTP/1,1 401 Access denied
Step 2. GET http://sharepointURL/ HTTP/1.1 , NTLMSSP_NEGOTIATE
Step 3. HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE
Step 4. GET http://sharepointURL/ HTTP/1.1 , NTLMSSP_AUTH, User:
hqdomain\myusername
On Windows XP through Squid, and both Windows XP and 7 directly to
Bluecoat, Step 5 will give; GET http://sharepointURL/default.aspx
HTTP/1.1 after it's performed a 301 redirect to default.aspx
On Windows 7 through Squid, I get; HTTP/1.0 401 Unauthorized, which
then prompts for re-authentication.
I'm not seeing any difference in Step 1-4, but I'm fairly new to this
and am unsure what I should be looking for, I may be missing
something.
From that the only difference is HTTP/1.0 vs HTTP/1.1.
The browser deciding to prompt instead of finish sending the credentials
is an indication that it cannot support the NTLM version. Or the server
is requesting credentials for a domain which the browser does not have
any credentials for. Or the server has closed the TCP connection (NTLM
assumes that is the same as credentials failing), in HTTP connections
may close at any time for any number of reasons completely unrelated to
credentials.
Amos
