Comments on: NTLM Authentication using IIS, ISAPI-WSGI and cherrypy http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/ The ramblings of Tim Golden Fri, 10 Feb 2012 06:37:25 +0000 http://wordpress.org/?v=2.2 By: Preston Landers http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/#comment-1112 Preston Landers Sun, 15 May 2011 19:44:36 +0000 http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/#comment-1112 Very helpful article, thanks for posting! Very helpful article, thanks for posting!

]]> By: hsimah http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/#comment-1032 hsimah Thu, 05 Nov 2009 04:16:47 +0000 http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/#comment-1032 How did you manage to get Cherrpy to run with IIS? I am by no means qualified with IIS and I am stumped as to how to get my application to run! How did you manage to get Cherrpy to run with IIS? I am by no means qualified with IIS and I am stumped as to how to get my application to run!

]]> By: tim http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/#comment-987 tim Sat, 30 May 2009 13:02:02 +0000 http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/#comment-987 Very useful indeed, Alex. Thanks very much. Very useful indeed, Alex. Thanks very much.

]]> By: moreati http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/#comment-986 moreati Sat, 30 May 2009 12:30:21 +0000 http://ramblings.timgolden.me.uk/2009/05/30/ntlm-authentication-using-iis-isapi-wsgi-and-cherrypy/#comment-986 A few brief notes: * There are 2 different integrated authentication mechnisms: kerberos and NTLM. * IIS/browser try Kerberos, and then fallback to ntlm * For firefox network.negotiate-auth.trusted-uris is needed for Kerberos, network.automatic-ntlm-auth.trusted-uris for NTLM. Set both. * Integrated auth is very sensitive to the host part of the URL, using an IP address, host name, host alias and fully qualified domain can produce different results. * IE only does integrated auth in the Intranet Zone, if your url is launched from a shortcut then IE may mis-detect the zone and present a login dialog. Adding the host explicitly to Intranet Zone should fix this. * Firebug and Fiddler are very, very useful * Be sure to enable KerberosAuthPersist on the server if you're using Kerberos http://support.microsoft.com/default.aspx/kb/917557 * Either way keep your 401 page simple, you'll be delivering it a lot. * There is an ASP.NET application (other than AuthDiag) that is useful for diagnosing authentication/delegation issues, but it's name escapes me. Alex A few brief notes:
* There are 2 different integrated authentication mechnisms: kerberos and NTLM.
* IIS/browser try Kerberos, and then fallback to ntlm
* For firefox network.negotiate-auth.trusted-uris is needed for Kerberos, network.automatic-ntlm-auth.trusted-uris for NTLM. Set both.
* Integrated auth is very sensitive to the host part of the URL, using an IP address, host name, host alias and fully qualified domain can produce different results.
* IE only does integrated auth in the Intranet Zone, if your url is launched from a shortcut then IE may mis-detect the zone and present a login dialog. Adding the host explicitly to Intranet Zone should fix this.
* Firebug and Fiddler are very, very useful
* Be sure to enable KerberosAuthPersist on the server if you’re using Kerberos http://support.microsoft.com/default.aspx/kb/917557
* Either way keep your 401 page simple, you’ll be delivering it a lot.
* There is an ASP.NET application (other than AuthDiag) that is useful for diagnosing authentication/delegation issues, but it’s name escapes me.

Alex

]]>