IE falls back to NTLM after successful kerberos login times out

Hi there.

We have a setup where a Web Application Firewall (WAF) is being used in front of the Web Application. We setup Kerberos Authentication and this works nicely. We connect, get a 401 to the Auth Page of the WAF, the client gets a Kerberos Ticket and sends that to the WAF  (SPNEGO with Kerberos to be specific). User gets authenticated and can use the Web App.

Now the problem we see is when the session times out on the WAF. Then the WAF will send a 302 to the Auth Page and then a 401 from the Auth page. Then the browser should resend the Kerberos ticket and the WAF would reauthenticate and let the user pass. This works find with Chrome, FireFox even Safari but not with IE.

When tracing the connection I see the following:

IE accesses the site after successfully authenticating via Kerberos the first time. Then we wait for the timeout to pass. Then we try to click any link on the Web App. The Browser gets a 302 to the Auth Page. The browser then does a GET on this Auth Page but already sends the Kerberos ticket (Auth Cookie). The Auth Part of the WAF then sends a 401 back to the browser. I assume here that IE thinks that Kerberos didn't work (as it already send the Auth Cookie to the AuthPage BEFORE getting the 401) and falls back to NTLM. The user gets a prompt. As we only have Kerberos enabled for this app it wont work. Canceling the NTLM popup and hit reload will have IE reGET the Auth Page with the Auth Cookie and then it works.

I'm a bit confused as to why IE sends the Auth Cookie already to the 302 to the Auth Page. It doesn't know that the session has expired (we lowered it to 30s on our testing setup just to be able to debug easier). 

Did IE save the Auth Page URL the first time when he authenticated and tries to be clever once he gets redirected? It's not that IE sends the Auth Cookie with any other GET requests.

Shouldn't IE also only send the Auth Cookie after receiving the 401 with the WWW-Authenticate: Negotiate header? (We only have Negotiate in it. No NTLM offering).

Can we get IE somehow to follow the flow as we would think it should? Or am I missing something and IE is correct?

The WAF vendor is also a bit puzzled (currently on 2nd level support) on IE's behavior.

Any ideas on this? Want/Need more infos? Headers? Anything?

Regards,

Marc