Why would WinInet fail to authenticate automatically via Negotiate when connecting by FQDN, but succeed if connecting by IP?

Question

Having a strange issue where WinInet is failing to authenticate using users current credentials if I connect to an internal service by name, but not if I connect by IP.

In one of our environments, which sits in its own domain, DOM1, our client can connect to our WCF services using the name of the server, ie http://machine_name:port/service.

In another environment, in domain DOM2, the client can authenticate automatically using http://sss.xxx.yyy.zzz:port/service, but if we configure the client to connect using the machine name, it connects, but fails to authenticate using integrated security. We end up having to fall back on basic, which we want to avoid.

That said, we could switch to using IP numbers to connect, but it doesn’t make any sense to me.

You could analyze the network traffic. – Simon Mourier Oct 16 '18 at 17:29 — Simon Mourier, Oct 16 '18 at 17:29

score 0 · Answer 1 · answered Oct 19 '18 at 11:42

0

Seems that your DNS is not resolving your server url to the same IP as the NetBIOS name.

Maybe you get an external IP? Investigate your network traffic and trace the steps. Also looking into NetBIOS might help understanding the problem and where to start looking for problems:

https://www.techrepublic.com/article/how-netbios-name-resolution-really-works/

answered Oct 19 '18 at 11:42

jaaq

1,188
11
29

I don't think this is the issue. The IP address is resolved correctly. I know that because when authentication via "Negotiate" fails, our app falls back on basic auth using the same URL, and is able to connect. – bpeikes Oct 22 '18 at 01:18
That you found the server doesn't necessarily mean that you've accessed it with the same IP address. Since DNS and NetBIOS yield different results the adresses they resolve to are the first place to check imho. On the other hand if authentication via URL works why not just use that? – jaaq Oct 22 '18 at 09:23
The issue is that authentication via Negotiate does not work if you use the name of the server, but basic does, using the same URL, which means that the name does indeed resolve to the right IP number. As noted, WinInet is able to connect using either name or IP, but for some reason, WinInet is not able to authenticate using "Negotiate" when using the name. – bpeikes Oct 22 '18 at 17:37

Why would WinInet fail to authenticate automatically via Negotiate when connecting by FQDN, but succeed if connecting by IP?

1 Answers1