integrated windows authentication - web services

[Tim B]

I have a performance question.

I have a web service in a machine (not in the a domain at
all) and the virtual directory is setup for integrated
windows auth. The server is WIN2003.

When I call the service from my code I set up a
credential cache with the appropriate credentials and the
call succeeds.

My question is - why when I look at the IIS logs on the
server does it show 2 401 responses prior to the third
attempt showing up with the correct username ?

The only way this doesn't happen is if I enable anonymous
access.

In reading various posts I thought that by removing some
of the other auth methods (basic, digest) from the
authentication manager that it might resolve this, but it
had no effect.

BTW the security logs just show a sucessful logon using
ntlm.

Any thoughts on how to avoid this ?


I'm wondering about the

[Jacob Yang [MSFT]]

Hi Tim,

Currently I have not a specific answer for this issue. Please tell me the
sub error code of the 401 error. (The 401 error has 5 sub error codes.)

In addition, I have found an article regarding this issue for your
reference:

HTTP Security and ASP.NET Web Services
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebsrv/ht[/url]
ml/httpsecurity.asp

I hope it helps.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "as is" with no warranties and confers no rights.

[TimB]

Thats all interesting information, but if you read the
original post you will note this is not interaction with
IE, rather .NET code calling a webservice.

So I'd still like an answer to the original question..
I am providing all the correct credentials to the web
service proxy, why does it attempt to connect as
anonymous once, then once again and finally on the third
attempt send the credentials.

Is there way around this ? Its hard enough to deal with
the performance issues inherent with web services
architecture to begin with, not to mention the extra
round trips being made becuase it doesn't pass the
credentials along the first time.

Tim

>-----Original Message-----
>Hi Tim,
>
>"401 2 2148074254" means no credential in current

request. This is default

>behavior between client and IIS server. If you browse a

web page in a

>virtrual folder with integrated windows authentication,

you also will get

>same log information. Form the log information, you can

notice the client

>(IE) will first send a request without credential, if

this is rejected by

>"401" it will resend the request with the credential.

Since this wouldn't

>affect the usage of web service, we don't need to pay

many attention on

>this issue.
>
>
>Luke
>Microsoft Online Partner Support
>
>Get Secure! [url]www.microsoft.com/security[/url]
>(This posting is provided "AS IS", with no warranties,

and confers no

>rights.)
>
>.
>

[MSFT]

Hi Tim,

When .NT client access a web service on IIS server, it use same protocol
with IE to IIS server. Therefore, we will get same result in the log. This
is common round for a request and wouldn't impact the performance too much.

Luke
Microsoft Online Partner Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)