IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=falseRSS

10 replies

Last post Apr 16, 2020 04:46 AM by nbagency

  • IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=false

    May 09, 2017 05:02 PM|rmcgarry|LINK

    This refers to IIS 8.5. "authPersistSingleResponse" is set to false.

    The site has a default landing page, written in ColdFusion, but doesn't do anything more than print HTML and basic JS to move around the site.  The site root has Anonymous access and Windows Authentication enabled.  Inside is a secure folder which has Anonymous access disabled, and Windows Authentication Enabled.  This works as expected.  The user is challenged for AD credentials, and when authenticated, the user is allowed in.

        <location path="cfreports">
            <system.webServer>
                <security>
                    <authentication>
                        <windowsAuthentication enabled="true" />
                    </authentication>
                </security>
            </system.webServer>
        </location>
        <location path="cfreports/reports/">
            <system.webServer>
                <security>
                    <authentication>
                        <anonymousAuthentication enabled="false" />
                    </authentication>
                </security>
            </system.webServer>
        </location>

    As expected, when a user clicks on a link to any page (e.g. "/reports/create/default.cfm"), the user is allowed in without being prompted again.  Note that authPersistSingleRequest is set to FALSE. 

    If they click a link on THAT page, they're prompted for credentials again.  If the user enters credentials, it works properly.  If the user hits Cancel, the user is still allowed access to that default.cfm page.  No matter what you do, ColdFusion sees the credentials are present on that page too.  From that point, if you hit refresh, you get challenged again, and then if you hit cancel, you get a 401.

    (401 - Unauthorized: Access is denied due to invalid credentials.)

    Then it becomes inconsistent.  Every time you access a different page, even ones you've authenticated before, sometimes you're prompted, sometimes you're not.  Sometimes entering credentials works, sometimes it doesn't.  

    Digging into the security settings, I found that authPersistSingleRequest is not set, which means it's false.  Configuration Editor showed the same thing.

    <security>
    
                <access sslFlags="None" />
                <applicationDependencies />
                <authentication>
                    <anonymousAuthentication enabled="true" userName="IUSR" />
                    <basicAuthentication enabled="false" />
                    <clientCertificateMappingAuthentication />
                    <digestAuthentication />
                    <iisClientCertificateMappingAuthentication />
                    <windowsAuthentication enabled="false" authPersistNonNTLM="true">
                        <providers>
                            <add value="Negotiate" />
                            <add value="NTLM" />
                        </providers>
                    </windowsAuthentication>
    
                </authentication>
    
                <authorization />

    I'm out of ideas, and I am unable to figure out the correct terms to search on.

  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    May 10, 2017 12:38 AM|Ken Schaefer|LINK

    rmcgarry

    I'm out of ideas, and I am unable to figure out the correct terms to search on.

    I'm having a little difficulty following your exact configuration. The last snippet of XML you've posted shows AnonymousAuthentication is enabled, and WindowsAuthentication is disabled. This matches non of the description of your sections (root and /reports) in your initial paragraphs.

    Additionally, it shows authPersistNonNTLM="true", which would affect Kerberos based authentication. you haven't described whether the client is using NTLM or Kerberos for requests. Additionally, are the requests GET requests or POST requests?

    Can you clarify your exact setup please?

  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    May 10, 2017 02:00 PM|rmcgarry|LINK

    Thank you so much for your response!

    I apologize for any confusion.  I don't do a lot with IIS anymore, so if what I'm doing is complete lunacy, please feel free to let me know.  A lot of what I'm doing is based on some training I got for earlier versions and for answers on different search engines.

    I set everything up using the IIS Manager, and didn't touch any XML or Configuration Editor at all. 

    The XML is exactly as I found it.  There are two locations, the site root, and a folder.  The first has both Windows and Anonymous Authentication (anonymous is default, and not shown).  The second has Anonymous explicitly disabled, which would leave Windows Authentication enabled because it was inherited from the site root.  Going through the IIS Manager, the folders are set up like this:

    • Site Root
    • Windows Authentication Enabled
    • Anonymous Authentication Enabled
    • /Folder
    • Windows Authentication Enabled
    • Anonymous Authentication disabled

    I am not relying, and have not done anything with Kerberos at all.  I am relying solely on "Windows Authentication" for security on this folder, with providers being Negotiate and NTLM, in that order.

    "authPersistNonNTLM" is not something I explicitly set.  I didn't touch the XML file, other than to copy/paste the sections I felt were relevant.

    There are no forms involved, everything is a basic GET request.

    As to the last section of XML, I think those are the Server settings, which match the Authentication configuration of the server itself.  The location I found them in was:

    configuration --> system.webServer --> security

  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    May 11, 2017 09:43 AM|Yuk Ding|LINK

    Hi rmcgarry,

    If the windows authentication keep prompt for credential, have you tried to add the website to local intranet in IE->internet option->security->local intranet->site->advanced? If the site is not in the list of local intranet, it could prevent the web browser from sending the credential to IIS server.

    Enable anonymous and windows authentication could lead to the page content and prompt show up at the same time.

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    May 12, 2017 02:14 AM|Ken Schaefer|LINK

    rmcgarry

    As to the last section of XML, I think those are the Server settings, which match the Authentication configuration of the server itself.  The location I found them in was:

    Thanks for clarifying. So basically you are finding all these settings in applicationHost.config file, and the last snippet you posted is also from that file? In which case, you're right that these are the default server level settings.

    Have you looked in the IIS log files to see what's being sent to the client? You should see 401 (in the sc-status column) for Access Denied responses from the server, which would then prompt the browser to pop-up the credentials dialogue.

    Are you able to post a snippet from the logs that shows a the behavior sequence you were telling us about (requests where the prompt appeared vs. didn't? or where the user has clicked cancel?)

  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    May 15, 2017 04:55 PM|rmcgarry|LINK

    As to the earlier comment, no, making the site into Intranet would not meet our requirements.

    This is not how any web server is supposed to behave, and it is preferable to have it fixed properly, rather than force all our users into a workaround that may compromise their own safety.

    Thanks, though.

    Logs:

    2017-05-15 16:57:51 GET /reports/ - - HTTP/1.1 <browser> - 200 0 0 4805 <me>
    2017-05-15 16:57:51 GET /images/logo.png - - HTTP/1.1 <browser> https://<server>/reports/ 200 0 0 46897 <me>
    2017-05-15 16:57:51 GET /images/headerBottom.png - - HTTP/1.1 <browser> https://<server>/style/style.css 200 0 0 483 <me>
    2017-05-15 16:57:51 GET /images/contentTop.jpg - - HTTP/1.1 <browser> https://<server>/style/style.css 200 0 0 542 <me>
    2017-05-15 16:57:55 GET /reports/ - - HTTP/1.1 <browser> https://<server>/reports/ 200 0 0 5147 <me>
    2017-05-15 16:57:55 GET /reports/Images/secure.jpg - - HTTP/1.1 <browser> https://<server>/reports/sdos/ 200 0 0 1020 <me>
    2017-05-15 16:57:56 GET /reports/secure/index.cfm - - HTTP/1.1 <browser> https://<server>/reports/sdos/ 401 2 5 1486 <me>
    2017-05-15 16:58:02 GET /reports/secure/index.cfm - - HTTP/1.1 <browser> https://<server>/reports/sdos/ 401 1 3221225581 1486 <me>
    2017-05-15 16:58:07 GET /reports/secure/index.cfm - <domain>\rmcgarry HTTP/1.1 <browser> https://<server>/reports/sdos/ 200 0 0 5429 <me>
    2017-05-15 16:58:08 GET /reports/secure/Admin/index.cfm - - HTTP/1.1 <browser> https://<server>/reports/secure/index.cfm 401 2 5 1486 <me>
    2017-05-15 16:58:08 GET /reports/secure/Admin/index.cfm - <domain>\rmcgarry HTTP/1.1 <browser> https://<server>/reports/secure/index.cfm 200 0 0 4399 <me>
    2017-05-15 16:58:11 GET /reports/secure/Admin/recipientTermDataCheck.cfm - <domain>\rmcgarry HTTP/1.1 <browser> https://<server>/reports/secure/Admin/index.cfm 200 0 0 6821 <me>
    2017-05-15 16:58:11 GET /cfscripts/cfform.js - <domain>\rmcgarry HTTP/1.1 <browser> https://<server>/reports/secure/Admin/recipientTermDataCheck.cfm 401 3 5 1486 <me>
    2017-05-15 16:58:11 GET /cfscripts/masks.js - - HTTP/1.1 <browser> https://<server>/reports/secure/Admin/recipientTermDataCheck.cfm 200 0 0 4229 206.176.14.173
    2017-05-15 16:58:11 GET /cfscripts/cfform.js - <domain>\rmcgarry HTTP/1.1 <browser> https://<server>/reports/secure/Admin/recipientTermDataCheck.cfm 401 3 5 1486 206.176.14.173
    2017-05-15 16:58:19 GET /reports/secure/index.cfm - - HTTP/1.1 <browser> https://<server>/reports/secure/Admin/recipientTermDataCheck.cfm 401 1 3221225581 1486 206.176.14.173
    


    I've removed the extraneous images/css from this, and cleaned out any specific.  Browser is Firefox 53.0. 

    As you can see, I get challenged about halfway down the log snippet.  I am then logged into the browser until we get to the "/cfscripts/cfform.js" line, where I get challenged.  "/cfscripts" is open to anonymous and Windows Authentication.  When I hit escape on the prompt, you see my username disappear from the logs near the end, meaning that at that point my credentials were un-set. 

    Here's my proof that cfscripts is open to anonymous:

    2017-05-15 17:40:21 GET /cfscripts/cfform.js - - HTTP/1.1 <browser> - 200 0 0 11269 <me>

    Sorry for all the edits...  needed to get rid of identifying info...

  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    May 19, 2017 09:43 AM|Yuk Ding|LINK

    Hi rmcgarry,

    You could try to access the website via IE explorer and add the website to local intranet. If the website is not trusted, the web browser would even not sending the username and password.

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    Mar 07, 2019 06:09 PM|cmatrask|LINK

    Hi Mr. Yuk,

    I've tried this, but it hasn't worked.

    We've even added the CAs to AD and we still get the authentication prompt. :( 
    Any other ideas?
    Thanks much,

    Cheryl

  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    Mar 08, 2019 04:19 AM|lextm|LINK

    cmatrask

    I've tried this, but it hasn't worked.

    We've even added the CAs to AD and we still get the authentication prompt. :( 
    Any other ideas?

    Please post a new question with more details. This thread is about a 401.3 issue showing in IIS log files, and why it happened for a ColdFusion application. It is not likely that you hit exact the same issue.

    Lex Li
    IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    Mar 10, 2020 12:53 AM|rakeshjigalur|LINK

    I had the same issue. Tried many things but didn't work. What worked is changing Authorization Rules. 

    Go To Features View in your Virtual Directory -> Authorization Rules -> Select the rule -> Click Edit -> Select "All Users" and click OK.

    Recycle App pool. and refresh url. That worked for me. 

  • Re: IIS Windows Authentication prompts for site pages multiple times, authPersistSingleResponse=f...

    Apr 16, 2020 04:46 AM|nbagency|LINK

    thank you

    NB-agency.com chuyên quảng cáo zalo, quảng cáo google, quảng cáo facebook, giúp các cá nhân, doanh nghiệp bán hàng hiệu quả Online. https://nb-agency.com/ tìm kiếm khách hàng không giới hạn