I have problems with a single user in an intranet application. The client side is a WPF application which communicates with a ASP.Net Web API Web Service.
The client sends HTTPS GET and POST requests using
HttpClientHandler handler = new HttpClientHandler()
{
AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip,
UseDefaultCredentials = true,
PreAuthenticate = true
};
On IIS Windows authentication is enabled with NTLM and Negotiate providers.
The system works for all users except one that gets 401.1 but only from POST requests.
I'm currenty trying to figure out what's different with this user. The only thing I noticed is a different kind of authorization header.
From here (and many other resources) I read:
If the header starts with a "T" (example: HTTP: Authorization = Negotiate TlRMTVNTU...) then you're using NTLM. If it starts with a "Y" (example: Authorization: Negotiate YIILjgYGKwYB...) then you're successfully using Kerberos.
I can see headers for working requests that seems to use Kerberos:
Authorization: Negotiate YIIT4QYGKwYBBQUCoIIT1TCC...
The header which is sent from the user which fails to POST looks like
Authorization: Negotiate oYICOTCCAjWgAwoBAaKCAhg...
It starts with o
. So is this NTLM or Kerberos? The authentication fails for POST request, but succeeds on GET!
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…