IIS 7.5 Windows Authentication failed with 401 - windows

Since we moved from IIS 7.0 to IIS 7.5 the Windows Authentication doesn't work anymore from remote requests. If I open the website on the webserver everything works fine.
web.config:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
IIS Settings:
Authentication (enabled): ASP.NET Impersonation, Windows Authentication (all others are disabled)
ApplicationPool: Managed Pipeline Mode -> Classic, Identity -> ApplicationPoolIdentity
Failed Request Trace:
MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName: WindowsAuthenticationModule
Notification: 2
HttpStatus: 401
HttpReason: Unauthorized
HttpSubStatus: 1
ErrorCode: 2148074254
ConfigExceptionInfo:
Notification: AUTHENTICATE_REQUEST
ErrorCode No credentials are available in the security package (0x8009030e)
Any suggestions?

We had a two-hop problem I think. If I move our SQL/Oracle DB to the server which is running IIS it works.
So here is an article to which describes a solution.
How to configure SQL and IIS for two hop kerberos authentication 2
or
SSRS Reportviewer ASP.NET Credentials 401 Exception
Thanks

Which client are you using? you might be running a client that is trying to pre-authenticate, but in IIS 7 we use Kernel Mode authentication by default which requires a challenge. If that is the case you can disable Kernel Mode auth by selecting the Windows Authentication entry and clicking Advanced Settings, you should see a checkbox that allows you to Disable that for the specific application and it should work if this is the problem.

Related

iis windows authentication web api and signalr

I Have to different servers one for web api and the other is for push notifications(signalR). I am hosting both on iis7, both are working fine independently but when the api is trying to connect to the push server (as a signalrClient) I get 401 Unauthorized response. Both the api and the push are running by the same user, both have kerberos authentication.
When I allow anonymuse in my push server it works perfectly. Unfortentally it can't be anonymose.
Thak you
Enable Windows authentication, Impersonation and disable rest in both the app.
here is the web.config code:
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true" />
</system.web>

HTTP 401.2 Unauthorized error with Windows authentication from remote machine

My website has Windows Authentication enabled with Negotiate provider listed first as I want to use Kerberos for delegating. It works fine when I run the website from a browser on the web server itself. When I use IE from another machine in the domain, I get the login box. After 3 tries I get a HTTP 401.2 error: Unauthorized.
I've made sure the domain account used by the Application Pool has Read and Execute rights to the website folder, and so does the domain account I'm logging in under when hitting the website (and I've also thrown in 'Authenticated Users' for good measure).
Interestingly if I try to access the site using the web server's IP instead of the name, it loads fine.
Anyone have thoughts?
One year after my first encountering this problem I've solved it.
Got the tip from http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx
Need to set useAppPoolCredentials="true" on the windowsAuthentication element in applicationHost.config (can set via IIS Manager)
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<clear />
<add value="Negotiate" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
The reason you're getting a 401.2 when using a DNS name is most likely due to the fact register the name you're using as a service principle name (SPN) in AD.
Here's a couple of links that should help you out:
Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
Register a Service Principal Name for Kerberos Connections:
http://technet.microsoft.com/en-us/library/ms191153.aspx

MVC3 Multiple Areas Different Authentication Methods

I have the following structure for my web application:
In my root web config, not in the Areas/Admin/Web.Config I have the following:
<location path="Areas/Admin">
<system.web>
<authentication mode="Windows"></authentication>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have my own authentication working on the main root of the web site no problems by using the [Authorize] tag.
Now for the Areas/Admin I'd like to use Windows Authentication.
In IIS (Server 2008 R2 Machine), I have the Admin folder configured as an application:
And when I click on Areas/Admin in IIS, under Authentication, I have Anonymous disabled, and Windows Authentication Enabled.
However, when I attempt to access this folder via the web site, it does not prompt me for my domain username/password. It just loads up the page.
If I go to www.website.com/Areas/Admin, it then prompts me for the username/password. But I need it to use the AreaRegistration, and have it prompt when I go to www.website.com/Admin.
I've been able to configure an entire site as Windows Authentication, and that works like a charm.
Any thought to lead me in the right direction? Or, if you need more information, please leave me a comment and I will be more than happy to give you what I can.
From doing research, I found that the only way to make this work, is to create a 2nd "admin" site which runs as an application under the main site. Doing so, allowed me to setup permissions on that site.

Windows Authentication not working in IIS 7.5

I am having a problem with getting windows authentication to work on IIS 7.5.
The application is an internal site built in asp.net MVC 3. The application pool is using a specific domain user and the site is using windows authentication. Every time I try to launch the site IE prompts me for a login.
If I cancel enough the site comes up, messed up looking, but it has my name associated with my windows log in displayed at the top. So that tells me that the site is picking up my windows credentials correctly.
I added the Network local user to have read access to the inetpub folder on the server and now it doesn't prompt for login with IE 8. But on chrome I get this error "Error 338 (net::ERR_INVALID_AUTH_CREDENTIALS): Unknown error.".
It is in our intranet sites zone. I should have stated this but I forgot. The site used to work on our old development server but when I upgraded to Win 2008 R2 with IIS 7.5 it stopped working. Used to be on 2003 with IIS 6.0.
I am wondering if any one has any idea what else I can try. I am pretty much spinning my wheels at this point.
I have tried all of the solutions in the links below and none of them have fixed the problem
http://forums.iis.net/t/1177154.aspx
http://forums.iis.net/t/1178188.aspx
Receiving login prompt using integrated windows authentication
http://warnajith.blogspot.com/2011/06/iis-75-401-unauthorized-access-error.html
http://forums.asp.net/t/1639511.aspx/1
https://superuser.com/questions/128746/iis-asks-for-login-pass-when-accessed-using-hostname-but-not-when-localhost-is
http://ask.metafilter.com/183636/Prompted-for-a-username-and-password-when-browsing-to-an-IIS-virtual-directory
IIS 7 and Windows Authentication
Related Note: If you are trying to replicate your site on localhost, and windows authentication is enabled and still fails, the solution is some registry hacking to avoid the loopback check:
Using regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Add a new Multi-String Value to MSV1_0 and name it BackConnectionHostNames
Add the host names you wish to use. Example, "mysite.com".
Restart the IIS.
Source link
The value should be the website name in your windows hosts file.
Also to be able to access a non-authenticated /data folder using PHP's file_get_contents, I had to add this to the applicationHost.config file, to prevent 401 errors.
<location path="mysite.com/data">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
I found the answer to this. It is a config setting that isn't mapped in the GUI. I had to go into the application host config file located at <%SystemDrive%>/Windows/System32/inetsrv/config and change the below settings.
default settings where
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" />
</providers>
</windowsAuthentication>
Changed to this and it worked.
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<add value="NTLM" />
</providers>
</windowsAuthentication>
In order for integrated credentials to be passed by IE, the site needs to be in your Intranet sites zone. It cannot be in trusted sites or any other sites.
I had a similar problem and it was fixed by adding the users group (MYDOMAIN\Users) to the physical folder of the application with read permissions.
i have a similar problem that is only solved by moving NTLM on top of kerberos in the providers as explained by Rory, or by modifying DNS.
The problem only occurs in IIS7 when the host header of the website exists as a CNAME (alias) in the DNS.
in IIS6, Integrated Windows Authentication only uses NTLM by default.
in IIS7, IWS uses kerberos before NTLM by default.
Replacing the CNAME record with an A record solves the problem.
Kerberos has no problems with A records in DNS, but it has problems with aliases.
So apparantly DNS CNAMEs are not compatible with kerberos on Windows 2008.
chris
If the browser prompts you for credential, I think your app pool credential don't have access to some of the resources on your page. Have you tried to create a blank html page and access to that page?
<html>
<body>
hello world!
</body>
</html>
I have a similar problem.
I had an application under Default Web Site that already had Windows authentication enabled but didnĀ“t worked. I solved disabling anonymous authentication on Default Web Site and also Enabling Windows authentication on Default Website.

How do I allow anonymous access to my mvc3 app using Windows Authentication

I have an MVC3 Intranet app that uses Windows authentication. I'm now using a third party service that will make notification calls to my app. I've already created a listener for these API calls but not sure how I can allow anonymous access to that single view in my app.
My IIS7 settings are as follows:
Anonymous - Enabled <---------- Use Domain User
ASP.NET Impersonation - Disabled
Basic Authentication - Disabled
Digest Authentication - Disabled
Forms Authentication - Disabled
Windows Authentication - Enabled - HTTP 401 Challange
Additionally, in my web.config file, authentication mode is set to Windows.
With that said, is there a way to allow anonymous access to a single view in my MVC app?
Where path is your end url, add this your web.config.
<location path="MyController/MyAction">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Or decorate the action with AllowAnonymousAttibute http://msdn.microsoft.com/en-us/library/system.web.http.allowanonymousattribute(v=vs.108).aspx.

Resources