Hello,
I'm experiencing a very puzzling issue with integrated windows authentication. It appears that if two users access the site at around the same time, it becomes possible for the second user to get the first user's credentials. Additionally, I've set up a dummy process that runs every few seconds on that attempts to download the page with no credentials. 95% of the time it gets access denied, but if it hits within 3 or 4 seconds of another request, it comes back OK and with the access credentials of that user.
I've ruled out a caching issue by including a sequence value with the requests that is returned in the responses. The responses that come from the dummy process contain their own sequence number embedded with another users' credentials.
At first I thought this was purely a code error somehow, but it appears that IIS isn't even trying to negotiate authentication with the dummy process when it gives it its credentials (that is, no error code 401 exchange using the WWW-Authenticate header at all!). All of the users come through a transparent proxy, so they all show up at the machine with the same IP address. Is it possible IIS windows authentication is holding on to the IP and Port and assuming reused ports are authenticated? The proxy is transparent and doesn't add or remove any of the headers. I've disabled integrated Negotiate auth so this is only using NTLM.
Here's a simple WCF service that I've verified exhibits the same problem: (sorry if this is out of the scope of this forum)
[ServiceContract]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall, ConcurrencyMode=ConcurrencyMode.Single)]
public class Service
{
[OperationContract]
[WebGet(UriTemplate = "GetUser?seq={sequence}", BodyStyle = WebMessageBodyStyle.Bare)]
public Message GetUser(string sequence)
{
// Also tried OperationContext.Current.ServiceSecurityContext.WindowsIdentity, same result
string value = Thread.CurrentPrincipal.Identity.Name;
if (sequence != null)
{
value += "; " + sequence;
}
return WebOperationContext.Current.CreateTextResponse(value, "text/plain", Encoding.Default);
}
}