Jason Viers
2007-07-27 17:27:39 UTC
I have set up three Windows 2003 machines in a separate network.
"idemo53" is the domain controller, "idemo51" and "idemo52" are members
of the domain.
At first, when doing a kerberos authenticated IIS request from idemo52
to a virtual dir on idemo53, it would fail with the kerberos error
"Message Stream Modified" (41). Lots of poking around yielded no
solution, but a restart of idemo53 ended up clearing up the problem.
Now I'm attempting to do a kerberos'd winhttp request from an ISAPI
extension that has been authenticated via kerberos. I initiate the
request from idemo51, to the ISAPI extension on idemo52, which then
makes a WinHttp request to idemo53.
The "51 browser"->"52 isapi" authentication happens fine, and I can see
the "52 winhttp"->"53 iis" request using kerberos authentication, but it
again fails with "message stream modified", which makes
WinHttpReceiveRequest fail with ERROR_WINHTTP_LOGIN_FAILURE. This time
restarting didn't help anything.
I can do 51->53 and 52->53 requests to the virtual directory just fine,
and packet sniffing shows that proper kerberos exchanges are taking place.
------------------------------
Googling for the error indicates that it usually appears with data
corruption, specifically between DCs. I only have one DC in this case,
so I know that's not the problem. I know data on the DC isn't corrupt
as direct requests work fine.
Any idea what could be causing this, or how to solve it?
Thanks
Jason
"idemo53" is the domain controller, "idemo51" and "idemo52" are members
of the domain.
At first, when doing a kerberos authenticated IIS request from idemo52
to a virtual dir on idemo53, it would fail with the kerberos error
"Message Stream Modified" (41). Lots of poking around yielded no
solution, but a restart of idemo53 ended up clearing up the problem.
Now I'm attempting to do a kerberos'd winhttp request from an ISAPI
extension that has been authenticated via kerberos. I initiate the
request from idemo51, to the ISAPI extension on idemo52, which then
makes a WinHttp request to idemo53.
The "51 browser"->"52 isapi" authentication happens fine, and I can see
the "52 winhttp"->"53 iis" request using kerberos authentication, but it
again fails with "message stream modified", which makes
WinHttpReceiveRequest fail with ERROR_WINHTTP_LOGIN_FAILURE. This time
restarting didn't help anything.
I can do 51->53 and 52->53 requests to the virtual directory just fine,
and packet sniffing shows that proper kerberos exchanges are taking place.
------------------------------
Googling for the error indicates that it usually appears with data
corruption, specifically between DCs. I only have one DC in this case,
so I know that's not the problem. I know data on the DC isn't corrupt
as direct requests work fine.
Any idea what could be causing this, or how to solve it?
Thanks
Jason