We have an issue on a customer deployment where our web service can only be accessed when communicating using the IP address in the URL rather than the host name. We are using integrated windows authentication to pass the users windows credentials so we can automatically log the user into our application. The application itself is a windows form app using dot net 2 web proxies to access asp.net web services.
In our environment accessing the services using a host name is fine but in the clients environment accessing via the host name fails, but IP address access succeeds. In short it appears the issue surrounds the interplay between Kerberos and NTLM authentication. The main reason our test environment is different to the clients environment is that they run the web services as a specific domain user and not NETWORK_SERVICE, when you do this Kerberos will not work out of the box.
In short the following links show how the clients deployment environment can be changed to work with domain names when not running the app pool as network service, either by turning of Kerberos authentication off, or by fixing it properly using Service Principle Names (SPNs)
Essentially NTLM is always used when communicating via an IP address (Wikipedia NTLM), this would explain why accessing the web service via an IP address works.
To change the authentication and to turn NTLM and Kerberos authentication on.
http://support.microsoft.com/kb/215383
To turn it off and the reason why:
http://piers7.blogspot.com/2007/04/disable-kerberos-on-windows-2003-using.html
Fixing by using a SPN
http://support.microsoft.com/?id=929650
Investigation in our environment
The following text records the investigation in our test environment surrounding the asp.net web service running as a domain user or NETWORK_SERVICE account.
The domain controller sees a logon event when talking to a web service not using network service as a user, but this doesn’t show any issue, in general I didn’t see an events in the domain controllers security logs that show the issue:
There are no logon events when communicating to a web service using network service.
The Application server has the authentication methods set to: “Send LM & NTLM – user NTLMv2 session security if negotiated” was ''Send NTLM response only on our test environment”. Potentially its what the setting is set in the client that counts here, this has no effect on choosing between Kerberos and NTLM though.
Communicating to the IP address;
No clients can connect to the web service when using the IP address for some reason, the exact opposite of the clients environment. Potentially NTLM is broken for us and Kerberos is the only thing that is working, our test environment is running in a VM environment with its own DC and network, the client and app servers though are also connected to our main network to make RDP easy, potentially this is causing issues and definitely an area to investigate.
Coms Traffic
DNS Name, Network Service
Response 401
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Request
Authorization: Negotiate YIIE0QYGKwYBBQUCoIIExTCCBMGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJcEggSTYIIEjwYJKoZIhvcSAQICAQBuggR+MIIEeqADAgEFoQMCAQ6iBwMFACAAAACjggOpYYIDpTCCA6GgAwIBBaEKGwhDUzAyLkNPTaIlMCOgAwIBAqEcMBobBEhUVFAbEmNzMDJhcHAwMS5DUzAyLmNvbaOCA2UwggNhoAMCARehAwIBDKKCA1MEggNP4AAuMFXJKP79YjQoyhaQKaG5Iwmmk8dFvKK/gb+78ZYUZRkZ42S+gNrfETPNJhufN2CGFwyJ9PIBmk0Ra7FIkZrJPLPHcBN97M46O1VOQtJdYYX0XvpdgrjEtuCobGAI43gKEMfGBaSZ1lt5Pi7xpNo1xN76/pgq+4vJvQ+SnOGPLgTRk/lSoVXyX3zJ5UJSmROSsAD46RU6eIQ+pNR8+NjZvd5sclQ8P/L/y62UKFcWKZA2ppVghIrQd1kmvgfip4EdR1/Apf+rT8gvgqxPuSHhfdL/kaQRWjY0dvdCKlxszytF2HQN1wYl/6ECezfeuejwtljVfSjzuAsnhjE2aESJpmXohoTiPD1HD8Hsa6Je8y7WLHyh8+DVoVJzLXPBRg/FxPxrsq1YL/KOJnx9+y9sPwUwMci621Fd571Me+I531YOCPMEQG0APOZR7zGTQRaWMQN602zsh9AKeFcUhcAvDHBPvHzeQ7m5YeOUHNIEH3lrnD8NV5UOqHePZunsHLV9aiehaUtT6rrpjOvVQ1tuvopwph7UE/PStfjLDeG1ClHWlTo8vKdYVaL1w7ktnwhifw/oqd4AiChwe6NIcuFAnvTG1eWoUPcVMHnknPSk6tmclYqn3iDKqnfw52VNoE1f8aRldCWm4hqgnUPbA6+5Z7oWzBy7sxsqE3xaJcsIxeOeeplcEyF7MYQfwo0D5RofHEN2qU+MG/oMCDpMm6zyK7HJXIiAEJh81rb53c9MdAl9aC8X/oUF2x36ntau2KUmm35Wt0QCL5qpjLdMFqYowWzQkogoVykBNUPVeYaaFdYpx/uuRMhWgM9k+8YridLAs+UX4ToJ456Zszk88UiUV7bIQU5LZGg9UDnBQzXSequLcUqD87CVhZb0tTzT7R6JRW9gkkij5tvMCBt8ab4xhhzOz++jPnmLJMSlOwujCNKgD3B0gzMlVHafDJmG3OBbVg3wuXLX5CDqJ4hZh1kpku2bj4mQvD1ZD+Bo+XTkrUCx4gCZAGr/vgizCjQDt4hEz83/9sD+FQP7Phwcfzx3AkWyg01Tb22n8KcF5bg/oy6I30t0eOr/llHtf/spc6PYVY5BZyIqsC7wv9RWaJfPvoTt/MYuni7wlL5zdaSBtzCBtKADAgEXooGsBIGpWy0v1ywq0PMWh3Q6HdKAgMZq4HJASGqCT+Ccg4wIRNnlVYsoEz822J0DdcB3qaxXIX1NcOKIR5Xcds9yJGOR1imL8YHCJX3DsMGqfs4XUBVzF5Y+SGG43/XL7++ERITTbSFzTpwsS82EylwvOEyyAyC96golat9VSJTy3fbzisgGpZn+M4wGeiCOdJz7bS38Xhl+jPkKZpQtb0wDG1juJf4QvSAXFrzPUA==
Response 200
WWW-Authenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWoZdDKSN9Xs6Da1N/G/a/wB0aW1V47bz9OpCwXBnHxTx0tPGrxhI7474Nbg1zaLrIJvOorUSE/q010CuG0t0xYoHIbkirCFcK6LrQgAkXIuyEgkvrTJ+Rl+TBg==
No logon events
IP Address, Network Service
Response 401
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Request –> 401
Authorization: Negotiate TlRMTVNTUAABAAAAt4II4gAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
Response
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAACAAIADgAAAA1gonihXsqEfDBUGoAAAAAAAAAAHYAdgBAAAAABQLODgAAAA9DAFMAMAAyAAIACABDAFMAMAAyAAEAEgBDAFMAMAAyAEEAUABQADAAMQAEABAAQwBTADAAMgAuAGMAbwBtAAMAJABjAHMAMAAyAGEAcABwADAAMQAuAEMAUwAwADIALgBjAG8AbQAFABAAQwBTADAAMgAuAGMAbwBtAAAAAAA=
Request –> 401
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHYAAAAYABgAjgAAAAgACABIAAAADAAMAFAAAAAaABoAXAAAABAAEACmAAAANYKI4gUBKAoAAAAPQwBTADAAMgBhAGQAbQBpAG4AMQBDAFMAMAAyAEQARQBTAEsAVABPAFAAMAAxAA7a339UA42oAAAAAAAAAAAAAAAAAAAAAAn8jU3tc3kILSb0cqGJjoiOlOdOcU8Le9CGQnUdqskW6W9Z5Fd4R5g=
Response
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Similar requests when not using network service, the second is a 401 with
Request
Authorization: Negotiate YIIE0QYGKwYBBQUCoIIExTCCBMGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBJcEggSTYIIEjwYJKoZIhvcSAQICAQBuggR+MIIEeqADAgEFoQMCAQ6iBwMFACAAAACjggOpYYIDpTCCA6GgAwIBBaEKGwhDUzAyLkNPTaIlMCOgAwIBAqEcMBobBEhUVFAbEmNzMDJhcHAwMS5DUzAyLmNvbaOCA2UwggNhoAMCARehAwIBDKKCA1MEggNP4AAuMFXJKP79YjQoyhaQKaG5Iwmmk8dFvKK/gb+78ZYUZRkZ42S+gNrfETPNJhufN2CGFwyJ9PIBmk0Ra7FIkZrJPLPHcBN97M46O1VOQtJdYYX0XvpdgrjEtuCobGAI43gKEMfGBaSZ1lt5Pi7xpNo1xN76/pgq+4vJvQ+SnOGPLgTRk/lSoVXyX3zJ5UJSmROSsAD46RU6eIQ+pNR8+NjZvd5sclQ8P/L/y62UKFcWKZA2ppVghIrQd1kmvgfip4EdR1/Apf+rT8gvgqxPuSHhfdL/kaQRWjY0dvdCKlxszytF2HQN1wYl/6ECezfeuejwtljVfSjzuAsnhjE2aESJpmXohoTiPD1HD8Hsa6Je8y7WLHyh8+DVoVJzLXPBRg/FxPxrsq1YL/KOJnx9+y9sPwUwMci621Fd571Me+I531YOCPMEQG0APOZR7zGTQRaWMQN602zsh9AKeFcUhcAvDHBPvHzeQ7m5YeOUHNIEH3lrnD8NV5UOqHePZunsHLV9aiehaUtT6rrpjOvVQ1tuvopwph7UE/PStfjLDeG1ClHWlTo8vKdYVaL1w7ktnwhifw/oqd4AiChwe6NIcuFAnvTG1eWoUPcVMHnknPSk6tmclYqn3iDKqnfw52VNoE1f8aRldCWm4hqgnUPbA6+5Z7oWzBy7sxsqE3xaJcsIxeOeeplcEyF7MYQfwo0D5RofHEN2qU+MG/oMCDpMm6zyK7HJXIiAEJh81rb53c9MdAl9aC8X/oUF2x36ntau2KUmm35Wt0QCL5qpjLdMFqYowWzQkogoVykBNUPVeYaaFdYpx/uuRMhWgM9k+8YridLAs+UX4ToJ456Zszk88UiUV7bIQU5LZGg9UDnBQzXSequLcUqD87CVhZb0tTzT7R6JRW9gkkij5tvMCBt8ab4xhhzOz++jPnmLJMSlOwujCNKgD3B0gzMlVHafDJmG3OBbVg3wuXLX5CDqJ4hZh1kpku2bj4mQvD1ZD+Bo+XTkrUCx4gCZAGr/vgizCjQDt4hEz83/9sD+FQP7Phwcfzx3AkWyg01Tb22n8KcF5bg/oy6I30t0eOr/llHtf/spc6PYVY5BZyIqsC7wv9RWaJfPvoTt/MYuni7wlL5zdaSBtzCBtKADAgEXooGsBIGpQLxhefwgE1t2sjQg+R0KYIhuUh2YhsdAXNmqkDt8dYVY+vczAA5UGPoghBgoPDdD/RAcF1I8XQMNaMQRwVfI+MGLxL6kVGtUbnizUf7o1jmDfvZ09+9TZqnqUXuMDd+IpvgnWI5K5bI6M4PWeDY9Exk2GmVlxBZ3pCREkcE/ke2A53CaZ6dF8OGEbSWWd4x/ec5EqxqeyfAvbsfxaJ6nnh9BK7msOMQBzw==
Response
WWW-Authenticate: Negotiate oYGIMIGFoAMKAQGhCwYJKoZIgvcSAQIConEEb2BtBgkqhkiG9xIBAgIDAH5eMFygAwIBBaEDAgEepBEYDzIwMTAwNzEyMDk1MzQ4WqUFAgMGSpSmAwIBKakKGwhDUzAyLkNPTaolMCOgAwIBA6EcMBobBGhvc3QbEmNzMDJhcHAwMS5jczAyLmNvbQ==
and a following request with
Authorization: Negotiate oYIEnzCCBJuiggSXBIIEk2CCBI8GCSqGSIb3EgECAgEAboIEfjCCBHqgAwIBBaEDAgEOogcDBQAgAAAAo4IDqWGCA6UwggOhoAMCAQWhChsIQ1MwMi5DT02iJTAjoAMCAQKhHDAaGwRIVFRQGxJjczAyYXBwMDEuQ1MwMi5jb22jggNlMIIDYaADAgEXoQMCAQyiggNTBIIDT0yHCikaYn0FY3dNwR4Eo4ma+tiJpbeAiiDkjMnpGzphbxn5OryeeIzoPxOHd2o84uEOlAl2dpTBGpZ5YxFbO3o4BFFIUcATEX5TiORQVuYO606oywDlIXjow6rz8N6HyITZm/CLmCXOXG0zrtSldD6QcQ5hTP5A7NlPGSl16ULaDTobBi9lRvpvn6kIM4BRWOJyNQmtUqXRV8vjkuodnbDFhxieRwy3QhD+HqVja+Kqwcw1nEhnWHEsUhw+31WFFbH1g0bD212xQBW7SflrTw6YF8laFa80AbU8QqkgDXcTFj6FmHBwb87NbSNkPZrOGKVBVN8VEc+L1fy5i41q+hogihLYXVtLTrO7tvYW4NmWa6T+2K2cft1GI9HZLmPJBKpX7sggb9pvYnH0I6jsbjQvjV8203eToCPI+doN0pc/ba4RhjHvIDcjtHkhpEe3kvpcYhYZfdQax4wat1Zaeqomqlaf4TqMukEYctLt5x/NpC4ETVnzgbUalOU3wUrE03l4AyMpUu6n/GREgDzyfri8IaQNGbeR9AnUUvf/M6SwEc1OABmdDdAdi+9h1xMlHcBClP+EsXfDJghzez/bp1iuQWv3EzgsnMKmLX6MinDyjjVxyPacYtgZGswUfdlXwbRPpQ4s3VWYfyHPYltrGSFZgRBccQE6Dj9Y6I/WSz1dhIcqDMIRx+8AaiAeujpDBa4dtR8fKhzvkx5AGJpGn7feRena2wznjU+4H9rt6jeA2Y+3Wh8dcfBUYk/CqBvciN1DdPXtf/vNCszlo6wf5VGGPxk49Lhj7OfKdGWmEGNXbqM4ReOQgImKvLk4plqn2BLLW6Up+KVCXivibx9+HCSuMc36n0WonsCGh4U21iTS8Yg49xFQ4LeShdjt/Ds8gfv85nBcho6jINXkq2v4xuQDSs0C8T58oVN5p4Zof3M80o2AaoNr3vkLZ1pTqXDjk8jH+YYz15E+UOO4TWvdShT5f6kcLUebGFHQiamO+8nSagwYbTWRL1JH+GbrFQCf2ffv2GJEYqBakQW96CwbxVZqIrMFAMt/QBfvUj7LUFMS/DaHrTajvAlHui2G6y86S+c2ykgOMMXSe6N+3rNej9faF0zp0Axmij+gNfi01lekgbcwgbSgAwIBF6KBrASBqcEFv86hjFvokwjI5uDEI4oYOLSnfoZk2Eb4NWWU30+a5hSqiDpCjaVjs4+SQWA6ZhIM/f6IePTMLD86qCP9/9QTvkD3tlwwFrzEOc3vWxP1fNM9rGrAmVyzUAXaZMrvLTz+in9/1wsBKllcQeuc3TMk2GFjzmFMmVO5trX9fQB2dWkfcRh31RC9bVJb87BqUkYc4iBjjpf9rZvOQjJIMypnxhLxbDg69ek=
Then the ending response with the two types of www-authenticate only.