NTLM Authentication fails ONLY with IE against 2k8 App server behind 2k8 IIS7 Reverse Proxy

Question

I'm developing an ASP.NET application for an intranet site that is using Windows/NTLM/WIA/whatever authentication. The application is hosted on a Windows 2k8 server but is accessed through a Reverse Proxy using IIs7 on another 2k8 machine.

Authentication works fine in FireFox, Chrome and Safari but fails in IE8. If I circumvent the Proxy and access the application server directly then it works fine so it has something to do with proxy.

There's nothing in the Event Viewer on any of the 3 machines to indicate what might be happening.

If you connect using IE8 it prompts for your credentials instead of automatically passing them, yes I've setup an explicit trust over an above the domain trust, but it still errors out with a 401 error returned from the proxy.

Any ideas where to start troubleshooting this?

Answer 1

Turns out that IIS 7 reverse proxies do not support Kerberos Authentication so you have to disable it on your backend servers so they use NTLM.

Unfortunately on 2k8 there's no easy way to do this, you have to mess around with the registry. In 2k8 R2 however there are GUI options in IIS 7 for managing Authentication Providers.

Answer 2

Running Fiddler on the client machine would be the place to start, to see how the auth headers coming back from the proxy differ from those with the direct connection.

You'll want to check whether, in the situations where it's working, NTLMv1, NTLMv2 or Kerberos is in use. IE8 on Win7 blocks NTLMv1 by default now, which might relate to the problem?