Hi.
Unfortunately again, in this case we are operating at the limits of my
own knowledge. So your idea of calling in a real Windows authentication
specialist may be your best bet.
See below for more details.
Savoy, Melinda wrote:
Thanks Andre. Appreciate the explanation.
I downloaded Fiddler as you suggested, and meant to send this in the earlier
post.
Good.
In the RAW HEADER I get the following when I enter this URL in my IE browser:
http://scmisdev
GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml,
application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET
CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: scmisdev
Authorization: Negotiate
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
In the AUTH window I see the following:
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
This last puzzles me, because it does not match what you indicate just
above : there does not appear to be an "Authorization: NTLM .." HTTP
header in the request, but Fiddler2 seems to say there is.
I do not know the explanation of that.
In the RAW window I see the following:
HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Here is a puzzle too (for me) : I do not understand why there are two
distinct WWW-Authenticate headers.
Unfortunately, I don't have an IIS server handy to compare.
Date: Fri, 04 Jun 2010 12:30:03 GMT
Proxy-Support: Session-Based-Authentication
...
<h1>You are not authorized to view this page</h1>
You do not have permission to view this directory or page using the credentials
that you supplied because your Web browser is sending a WWW-Authenticate header
field that the Web server is not configured to accept.
This on the other hand seems clear : the IIS server is set up (for this
"directory") to accept one mode of authentication (probably NTLM, only),
and it gets mad because the browser is trying to authenticate using
another method (probably this "Negotiate" method mentioned earlier).
And, it is still clear that this is an issue between the browser and the
IIS server. Tomcat is not yet involved here, and neither is the isapi
redirector.
One important question : when you are trying this, is your (presumably)
Windows workstation logged into the same Windows domain as the one the
server belongs to ?
(I mean, you are they both local in the same LAN, or are you accessing
the server from home via some VPN or so ?)
Finally, by searching Google for
Authorization: Negotiate
I found the following, which seems to provide the beginning of an
explanation :
http://www.rfc-archive.org/getrfc.php?rfc=4559
At least it provides a clue as to why this HTTP header is present in the
exchanges. The article also provides references to further reading.
I have no idea at the moment if this is part of the problem you are
having, but it triggers another question : is your organisation using
Kerberos-type authentication for its Windows domain ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
