Claims with NTLM and authentication prompts
Investigating an ongoing problem where a Web Application configured with Claims Authentication (with NTLM) occasionally causes users to re-enter credentials through a pop up dialog.
We have been looking into this issue for a long time with no clear-cut answer as to why it is happening, and more confusingly it only happened in our Live environment and not on our development or test servers. So we decided to set up a new environment (1 APP + 1 WFE) and configure it to run the same site collection, but this time configured to use Claims with Kerberos as the authentication method.
After carefully configuring everything (including SPNs), everything seemed to be running smoothly until it was unleashed on our tester. Within the first hour he was presented with a login prompt, so I had a close look at the ULS logs and found a few unexpected error entries corresponding to Claims Authentication:
With a bit more digging I found that my Claims to Windows Token Service was not running. When I started it the problem did not happen again.
So I had a dig around our ULS logs on our Live servers and put a filter on the Category 'Claims Authentication', and I started getting lots of the 2nd message (always in pairs) every second. So my theory is that when we get a lot of these messages or maybe a 'storm' of them for one user, then that is when the user gets an authentication prompt.
Investigation continues...
We have been looking into this issue for a long time with no clear-cut answer as to why it is happening, and more confusingly it only happened in our Live environment and not on our development or test servers. So we decided to set up a new environment (1 APP + 1 WFE) and configure it to run the same site collection, but this time configured to use Claims with Kerberos as the authentication method.
After carefully configuring everything (including SPNs), everything seemed to be running smoothly until it was unleashed on our tester. Within the first hour he was presented with a login prompt, so I had a close look at the ULS logs and found a few unexpected error entries corresponding to Claims Authentication:
09/20/2011 15:11:25.20 w3wp.exe (0x03E0) 0x1ABC SharePoint Foundation Claims Authentication bz7l Medium SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='xxxxxx\xxxxxx', UPN='xxxxxx'. UPN is required when Kerberos constrained delegation is used.
09/20/2011 15:11:25.20 w3wp.exe (0x03E0) 0x1ABC SharePoint Foundation Claims Authentication g220 Unexpected No windows identity for xxxxxx\xxxxxx. 4638f7f1-4ba3-4c6c-a2fe-eae90f64a26bWith a bit more digging I found that my Claims to Windows Token Service was not running. When I started it the problem did not happen again.
So I had a dig around our ULS logs on our Live servers and put a filter on the Category 'Claims Authentication', and I started getting lots of the 2nd message (always in pairs) every second. So my theory is that when we get a lot of these messages or maybe a 'storm' of them for one user, then that is when the user gets an authentication prompt.
Investigation continues...
So we have started the Claims to Windows Token service on all of our WFEs and APP servers on the production environment. So far no major reports of login prompts, however the users are generally used to it so may not be reporting it...
ReplyDelete