I Have to different servers one for web api and the other is for push notifications(signalR). I am hosting both on iis7, both are working fine independently but when the api is trying to connect to the push server (as a signalrClient) I get 401 Unauthorized response. Both the api and the push are running by the same user, both have kerberos authentication.
When I allow anonymuse in my push server it works perfectly. Unfortentally it can't be anonymose.
Thak you
Enable Windows authentication, Impersonation and disable rest in both the app.
here is the web.config code:
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true" />
</system.web>
I plan to create a connection string for my membership which points to Azure Active Directory. Here are what I've got from Azure Active Directory:
Case 1: The information is get from https://portal.azure.com
ClientId: a92a056f-????-????-????-3a86545656e2
Tenant: somedomain.onmicrosoft.com
AADInstance: https://login.microsoftonline.com/{0}
PostLogoutRedirectUri: http://localhost:51323/
Case 2: The information is get from https://apps.dev.microsoft.com
App ID / Client Id: 54fadbd8-????-?????-????-0260307e24ac
Private Key: E5400125D?????????????EDA54B22CC0D8631
Redirect URL: http://localhost:51323/
A sample connection string:
LDAP://127.0.0.1/OU=Users,DC=somedomain.onmicrosoft.com
A sample connection string from web.config:
<connectionStrings>
<add name="MyMembershipConnectionString" connectionString="LDAP://127.0.0.1/OU=Users,DC=somedomain.onmicrosoft.com" />
</connectionStrings>
From given information above, what is the format of the connectionstring for each case? (Case 1 or 2)
Note: The connectionstring for azure active directory is applied on a .Net web application.
For this question, I have another example:
I have a domain: somedomain.onmicrosoft.com
I have an Azure Active Directory Account: trin#somedomain.com
So my ConnectionString look like:
LDAP://somedomain.onmicrosoft.com/OU=trin#somedomain.com,OU=somedomain,DC=somedomain,DC=onmicrosoft,DC=com
Does the connection string correct?
My website has Windows Authentication enabled with Negotiate provider listed first as I want to use Kerberos for delegating. It works fine when I run the website from a browser on the web server itself. When I use IE from another machine in the domain, I get the login box. After 3 tries I get a HTTP 401.2 error: Unauthorized.
I've made sure the domain account used by the Application Pool has Read and Execute rights to the website folder, and so does the domain account I'm logging in under when hitting the website (and I've also thrown in 'Authenticated Users' for good measure).
Interestingly if I try to access the site using the web server's IP instead of the name, it loads fine.
Anyone have thoughts?
One year after my first encountering this problem I've solved it.
Got the tip from http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx
Need to set useAppPoolCredentials="true" on the windowsAuthentication element in applicationHost.config (can set via IIS Manager)
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<clear />
<add value="Negotiate" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
The reason you're getting a 401.2 when using a DNS name is most likely due to the fact register the name you're using as a service principle name (SPN) in AD.
Here's a couple of links that should help you out:
Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
Register a Service Principal Name for Kerberos Connections:
http://technet.microsoft.com/en-us/library/ms191153.aspx
In my web application, I have put encrypted password like:
<add name="ConnectionString1" connectionString="Data Source=abc;Initial Catalog=dms;Persist Security Info=True;User ID=sa;Password=****************" />
and at run time, I decrypt it and use it.
It works fine in all pages, but in 1 page it shows error like
Login failed for user 'sa'.
there is no error anywhere. I debug many times, but still it continues.
Instead I use actual connection string it works fine.
what should I do?
I am having a problem with getting windows authentication to work on IIS 7.5.
The application is an internal site built in asp.net MVC 3. The application pool is using a specific domain user and the site is using windows authentication. Every time I try to launch the site IE prompts me for a login.
If I cancel enough the site comes up, messed up looking, but it has my name associated with my windows log in displayed at the top. So that tells me that the site is picking up my windows credentials correctly.
I added the Network local user to have read access to the inetpub folder on the server and now it doesn't prompt for login with IE 8. But on chrome I get this error "Error 338 (net::ERR_INVALID_AUTH_CREDENTIALS): Unknown error.".
It is in our intranet sites zone. I should have stated this but I forgot. The site used to work on our old development server but when I upgraded to Win 2008 R2 with IIS 7.5 it stopped working. Used to be on 2003 with IIS 6.0.
I am wondering if any one has any idea what else I can try. I am pretty much spinning my wheels at this point.
I have tried all of the solutions in the links below and none of them have fixed the problem
http://forums.iis.net/t/1177154.aspx
http://forums.iis.net/t/1178188.aspx
Receiving login prompt using integrated windows authentication
http://warnajith.blogspot.com/2011/06/iis-75-401-unauthorized-access-error.html
http://forums.asp.net/t/1639511.aspx/1
https://superuser.com/questions/128746/iis-asks-for-login-pass-when-accessed-using-hostname-but-not-when-localhost-is
http://ask.metafilter.com/183636/Prompted-for-a-username-and-password-when-browsing-to-an-IIS-virtual-directory
IIS 7 and Windows Authentication
Related Note: If you are trying to replicate your site on localhost, and windows authentication is enabled and still fails, the solution is some registry hacking to avoid the loopback check:
Using regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Add a new Multi-String Value to MSV1_0 and name it BackConnectionHostNames
Add the host names you wish to use. Example, "mysite.com".
Restart the IIS.
Source link
The value should be the website name in your windows hosts file.
Also to be able to access a non-authenticated /data folder using PHP's file_get_contents, I had to add this to the applicationHost.config file, to prevent 401 errors.
<location path="mysite.com/data">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
I found the answer to this. It is a config setting that isn't mapped in the GUI. I had to go into the application host config file located at <%SystemDrive%>/Windows/System32/inetsrv/config and change the below settings.
default settings where
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
</providers>
</windowsAuthentication>
Changed to this and it worked.
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<add value="NTLM" />
</providers>
</windowsAuthentication>
In order for integrated credentials to be passed by IE, the site needs to be in your Intranet sites zone. It cannot be in trusted sites or any other sites.
I had a similar problem and it was fixed by adding the users group (MYDOMAIN\Users) to the physical folder of the application with read permissions.
i have a similar problem that is only solved by moving NTLM on top of kerberos in the providers as explained by Rory, or by modifying DNS.
The problem only occurs in IIS7 when the host header of the website exists as a CNAME (alias) in the DNS.
in IIS6, Integrated Windows Authentication only uses NTLM by default.
in IIS7, IWS uses kerberos before NTLM by default.
Replacing the CNAME record with an A record solves the problem.
Kerberos has no problems with A records in DNS, but it has problems with aliases.
So apparantly DNS CNAMEs are not compatible with kerberos on Windows 2008.
chris
If the browser prompts you for credential, I think your app pool credential don't have access to some of the resources on your page. Have you tried to create a blank html page and access to that page?
<html>
<body>
hello world!
</body>
</html>
I have a similar problem.
I had an application under Default Web Site that already had Windows authentication enabled but didnĀ“t worked. I solved disabling anonymous authentication on Default Web Site and also Enabling Windows authentication on Default Website.