Prompting for passwords

Are you performing source address translation on the BIG-IP? If so, the client IP address that the web server sees would change. Does the web server request credentials form the client through the BIG-IP because the IP address isn't what it's expecting?

 

 

Else, perhaps multiple client HTTP requests are being sent over the same TCP connections using OneConnect.

 

 

What kind of authentication is the server performing? What do you see in the server logs when the issue occurs?

 

 

Aaron

Aaron

 

 

To answer your questions, yes SNAT is enabled, it is using windows authentication, multiple requests is not an issue, this is in a test setup for now and it is a very small group doing the testing, also OneConnect is not enabled for this server, and yes all the traffic is passing thru the BIG-IP.

It's very odd that only some users are prompted for a password through the BIG-IP. Is it possible that some users already entered a password and their browser is caching it? Do you see in the server logs that the users which don't get prompted have an authorization header with a user/pass (or NTLM token) set?

 

 

Are you able to change the default gateway of the test server to the BIG-IP's self IP and disable SNAT? If so, do some users still get prompted for a password?

 

 

Aaron

We are not able to change the server, here is the interesting part of all of this, I have dumped the interfaces, when it works, the client gets back a ""401 not authorized" and then sends a NTLMSSP_Negotiate, when it fails the client sees the "401 not authorized" but it does not send the NTLMSSP_Negotiate, now for the real interesting part. from the same client, with no changes, if I try to hit the server by the IP of the virtual server in the BIG-IP it fails, however if I set up a DNS entry for the IP of the virtual server and hit the server by name, it works every time and so far from every machine.

When clients make a request directly to the server by IP address, do they get the same results as when they access the VIP by IP address?

 

 

I'm not familiar enough with NTLM to know why it would make a difference whether the client makes a request by IP or port. Does anyone else have ideas?

 

 

Else, this page has a good quick summary of the NTLM:

 

 

NTLM Authentication Scheme for HTTP

 

http://davenport.sourceforge.net/ntlm.html

 

 

Aaron

No, access directly to the server works wether the client uses the IP address or the name. The frustrating part has been that sometimes it will also work thru the BIG-IP, I just can't place my finger on why or when, from the same machine it may not work in the morning but does in the afternoon. I too am not that familiar with NTLM but this link looks like a good starting point. Thanks.

Hi,

 

 

We faced this issue sometime back and was a problem with oneconnect and NTLM connection handling.

 

 

Disabling oneconnect worked for us.

 

 

Regards,

 

Ravi

I'm having the same issue and here is what I have found in troubleshooting so far:

 

 

We are running IIS 6 on Win 2003 and the sites in question are ASP.Net v2.0.5. I have two web sites in the same app pool; one is set to use Windows Integrated Authentication (WI) and the other Allow Anonymous Access (AA). Hitting the (AA) site after launching the (WI) site will cause the credential prompt. Happens every time. I enabled (WI) on the (AA) site, and all the issue went away...mostly. Seems the network team was able to get a few with lots and lots of requests to the first (WI) site. My thinking is that these may have been caused by other users having a legitimate security failure (i.e. locked account) since the client IP (c-ip) is always the F5s IP. I may be off base here, but it seems the IIS auth token is cleared and authorization is required of the next user to make a request. A possible solution would be to do the IP replace in the header as suggested above. I'm not a network guy through, and don't know how this would impact the rest of our world. Any comments would be appreciated.

 

 

This is only occurring via the dns which is routed though the F5s. ip:port and servername:port work just fine, but aren't going through the F5s

I have a similar issue. IIS6 win2003, 2 servers in a round robin.

 

The site with Window Integrated Authentication (WI) enable. I will get prompted randomly for username and password.

 

I can hit the site

 

I get prompted

 

I can hit Escape (no need to enter the username and pass)

 

I hit Refresh and it works.

 

Here is where the random comes in.

 

Sometimes I can hit Refresh again and it still works, some times it prompts again.

 

If it prompts again I can start over and hit Escape the Refresh.

 

 

If I go to the IP of either server it always work, if I go to the IP of the VIP it is Random.

 

I do have OneConnect enabled.

 

Which LTM version are you running? If you disable OneConnect on the VIP, do you still see the issue?

 

 

Aaron