IIS Integrated Authentication - Confuses users

Adam French 1 Reputation point
2023-03-14T10:37:46.95+00:00

I have a very odd issue where we have an IIS web server with integrated authentication turned on and PHP installed, and if 2 users hit the server within 20 seconds of each other, sometimes the 2nd user gets logged in as the first user.

I should point out that we pickup the authenticated user using the the $_SERVER['PHP_AUTH_USER'] variable.

I've checked the security audit on the machine running IIS, and I can see that the 2 users hit the logs, and the first user generates 2 logs, but the 2nd user only generates one log.

This is the security audit of the 1st user, and both events for this user are exactly the same.

I have blanked out the TargetUserSid and modified the values of the TargetUserName, TargetDomain and WorkstationName, but everything else is as it was.

- EventData   SubjectUserSid S-1-0-0 
  SubjectUserName - 
  SubjectDomainName - 
  SubjectLogonId 0x0 
  TargetUserSid S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-29737 
  TargetUserName user1
  TargetDomainName MYDOMAIN
  TargetLogonId 0x16e5e071 
  LogonType 3 
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM 
  WorkstationName Machine1
  LogonGuid {00000000-0000-0000-0000-000000000000} 
  TransmittedServices - 
  LmPackageName NTLM V2 
  KeyLength 0 
  ProcessId 0x0 
  ProcessName - 
  IpAddress - 
  IpPort - 
  ImpersonationLevel %%1833

Then for the 2nd user, which was only 20 seconds later:

- EventData   SubjectUserSid S-1-0-0 
  SubjectUserName - 
  SubjectDomainName - 
  SubjectLogonId 0x0 
  TargetUserSid S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-3185 
  TargetUserName user2
  TargetDomainName MYDOMAIN
  TargetLogonId 0x16e5ea77 
  LogonType 3 
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM 
  WorkstationName Machine2
  LogonGuid {00000000-0000-0000-0000-000000000000} 
  TransmittedServices - 
  LmPackageName NTLM V2 
  KeyLength 128 
  ProcessId 0x0 
  ProcessName - 
  IpAddress - 
  IpPort - 
  ImpersonationLevel %%1833

The only difference I can see is the 2nd user only has 1 log, instead of 2 and the log for the 2nd user has a KeyLength specified, when the 1st user doesn't.

I've checked all the other events and every user generates 2 events at the exact same time and have keylengths of 0, so i think this is what might be causing it, but does anyone have any idea why ??

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,105 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 43,926 Reputation points
    2023-03-15T15:57:50.3266667+00:00

    Hello there,

    You can try using the server authentication method to isolate the issue and prevent this from happening.

    IIS 7 supports Anonymous authentication, Basic authentication, Client Certificate Mapping authentication, Digest authentication, IIS Client Certificate Mapping authentication, and Windows authentication. Additional authentication modes can be provided by third-party authentication modules.

    In IIS (website props):

    Uncheck "Anonymous access"

    check "Integrated Windows authentication" and "Basic authentication"

    https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments