Hi,
I am using a REST web service in IIS7 with "Windows Authentication - Negotiate" enabled.
The REST client (which is a java spring based web applicaiton running in a tomcat container) sends the request to IIS7 with a base64 encoded Kerberos token in the "Authorization: Negotiate" header. Each REST call from the client web app is independent which means each call creates a new session with IIS REST web service. However the token created to make the REST call is cached for certain period and is used across REST calls.
The issue is, IIS accepts the token from the first request (REST call) successfully. But the subsequent requests are rejected with error 401. Caching the token on the client side is being done for performance reasons. So I want to repeat the same Kerberos token for subsequent REST calls from the client after the first call was authenticated by IIS.
I have tried using authPersistNonNTLM:true setting for IIS7 but it does not work. The reason must be because client creates a new session for each REST call.
I am suspecting the reason IIS may be rejecting the token is because Kerberos token 'replay detection' is enabled (because this is the error I got while using an SSPI based solution, not using Integrated Windows Authentication feature of IIS)
My questions are:
1. Is there any way IIS can be configured to accept the same token multiple times? (Please note - I am aware of the security issues related to this)
2. If #1 is not possible, Is there any way for me to intercept the request in a http handler or module (or anything else) defined in my REST web service before the request is rejected by IIS? (Please note - looking for some .NET solution)
Thanks!