locked
Access denied when attempting to browse to a virtual directory RRS feed

  • Question

  • User832234374 posted

    I used the IIS Resource Kit's SelfSSL tool to add a test SSL certificate to my test W2K3 server. (The server is not a member of a domain.) I used the FQDN of my server when generating the certificate.

    I then created a virtual directory named "Test" underneath the Default Web Site, enabled "Require secure channel (SSL)" for this virtual directory, and verified for this virtual directory that "Enable anonymous access" is not enabled and that "Integrated Windows authentication" is enabled.

    While logged on to the server console as myself (a member of the server's Administrators group), browsing to https://localhost/Test displays the default page.

    When I attempt to browse to the virtual directory using https://<FQDN>/Test (whether from the server console or from my client PC), I'm prompted for a username and password. No matter what I enter here--whether my own credentials on this server or the credentials of a test Windows user on this server, I get the following error: HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

    What would cause this problem?

    FYI: Both Windows users have adequate NTFS permissions for the underlying directory. The site's application pool is DefaultAppPool; the DefaultAppPool has Network Service for its identity account.

    Thursday, March 20, 2008 6:45 PM

Answers

  • User989702501 posted

    Cool, now we can see the cs-username field.

    First - localhost - IE auto login as it know is local intranet zone, so you see the following:
    401.2,401.1 - IE try anonymous access first
    301, 200, IE auto login and redirect to default doc.

    Second - Servername - Similar exp.. it works

    Third - FQDN - mm.... funny it give you 401.1. Is this basic or windows auth ? you notice that your username wasn't even record in the log file. USP0104DAT\Chris, it is always - anonymous.

    Can you try again in http ? the SSL is working so https://fqdn should work also. but anyway, leave it first... I'm wondering why fqdn doesn't works when you got prompt for login.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Sunday, March 23, 2008 1:06 AM
  • User989702501 posted

    First - because you are browsing to /test, IIS check if this is a file or directory and give it and courtesy / at the end and found the default document. Second example was you are accessing telling browser to access the /test/ folder, IIS read its config and give you the default.htm directly. so you don't see 301 move response from IIS.

    Third, I just think of this -
    You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
    http://support.microsoft.com/?id=896861

    it was quite hot after sp1 released....

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Sunday, March 23, 2008 10:44 PM

All replies

  • User989702501 posted

    Does it works with http:// ? 401.1 is saying loign failed. can you post the log entries here.

    Thursday, March 20, 2008 10:18 PM
  • User832234374 posted

    Thanks for the reply. When I browse using http://, I get a "HTTP Error 403.4 - Forbidden: SSL is required to view this resource" error--which is what I would expect and what I want to happen.

    I browsed using https:// again, was prompted for credentials three times, and then got the 401.1 error again. After doing this, I noticed the following nine entries in my IIS log file:

    2008-03-21 03:03:54 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 2 2148074254
    2008-03-21 03:03:54 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 03:03:54 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 2148074252
    2008-03-21 03:03:58 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 03:03:58 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 2148074252
    2008-03-21 03:03:58 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 03:03:58 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 2148074252
    2008-03-21 03:04:00 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 03:04:00 W3SVC1 <My Server's IP Address> GET /Test - 443 - <My Server's IP Address> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 2148074252

    Does that help?

    Thursday, March 20, 2008 11:09 PM
  • User989702501 posted

    I'm not seeing the cs-username field being populated. did you log the field ? it is showing - and that's for anonymous.

    Thursday, March 20, 2008 11:47 PM
  • User832234374 posted

    Suddenly, I can now successfully browse to the site using https:// from my client PC...and from another client PC. It prompts me for the credentials and then displays the site!

    However, I *still* get a 401.1 error when browsing to the site using https:// from the server console (after being prompted for the credentials).

    It's probably nothing, but I notice that the dialog box that prompts me for my credentials is slightly different on the client PCs than it is on the server console. On the client PCs, the dialog box says "Connecting to <FQDN>" whereas on the server console, the dialog box says "Connecting to <My FQDN>." (note the period at the end). Is that significant?

    Thursday, March 20, 2008 11:48 PM
  • User989702501 posted

    Locally it works, I'm guessing it auto login as administrator....... are these machines in domain or ?

    you can look at the log entries on that you able to login and compare to those where you can't.
    401.2 is normal as it is trying to login as anonymous first. then you should see 200. not 401.1

    Thursday, March 20, 2008 11:52 PM
  • User832234374 posted

    The server is not a member of domain. The client PCs are not a member of a domain, either.

    I can access the site with https:// from both client PCs...but it doesn't work from the server console.

    On the server console, I'm logged in with a local account that is a member of the server's Administrators group.

    Friday, March 21, 2008 1:12 AM
  • User989702501 posted
    Again, capture the username log filed in IIS log file. site property - logging - advanced....
    At server console - what's the url you visiting ? http://servername ? or ? have you try http://localhost ?
    Friday, March 21, 2008 1:53 AM
  • User832234374 posted

    I checked the Default Web Site's logging > Properties > Advanced list. User Name ( cs-username ) was--and still is--enabled.

    (I neglected to mention that when I browse using https://, I get a "There is a problem with this website's security certificate" message--because I am the one who generated the SSL certificate using SelfSSL. I'm ignoring this message and simply pressing the Continue link. That might explain the first two log entries with a sc-status of 401 after each activity described below.)

    FYI: The server name is USP0104DAT. My Windows user account on this server is "Chris".

    When I use https://localhost/Test at the server console, the site displays properly--without requesting any credentials. Here are the entries in the log for this activity:

    2008-03-21 14:23:59 W3SVC1 127.0.0.1 GET /Test - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 2 2148074254
    2008-03-21 14:23:59 W3SVC1 127.0.0.1 GET /Test - 443 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 14:23:59 W3SVC1 127.0.0.1 GET /Test - 443 USP0104DAT\Chris 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 301 0 0
    2008-03-21 14:23:59 W3SVC1 127.0.0.1 GET /Test/Default.htm - 443 USP0104DAT\Chris 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 200 0 0

    When I use https://servername (i.e., https://USP0104DAT/Test) at the server console, I'm prompted for my credentials. When I enter my credentials, the site displays properly. Here are the entries in the log for this activity:

    2008-03-21 14:35:52 W3SVC1 [My server's IP address] GET /Test/ - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 2 2148074254
    2008-03-21 14:36:30 W3SVC1 [My server's IP address] GET /Test/ - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 14:36:30 W3SVC1 [My server's IP address] GET /Test/Default.htm - 443 USP0104DAT\Chris [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 200 0 0

    When I use https://FQDN/test at the server console, I'm prompted for my credentials. After three attempts of entering my credentials, I get a "You are not authorized to view this page" error. Here are the entries in the log for this activity:

    2008-03-21 15:15:45 W3SVC1 [My server's IP address] GET /Test - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 2 2148074254
    2008-03-21 15:16:01 W3SVC1 [My server's IP address] GET /Test - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 15:16:01 W3SVC1 [My server's IP address] GET /Test - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 2148074252
    2008-03-21 15:16:01 W3SVC1 [My server's IP address] GET /Test - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 15:16:01 W3SVC1 [My server's IP address] GET /Test - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 2148074252
    2008-03-21 15:16:06 W3SVC1 [My server's IP address] GET /Test - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 0
    2008-03-21 15:16:06 W3SVC1 [My server's IP address] GET /Test - 443 - [My server's IP address] Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648) 401 1 2148074252

     

    Again, perhaps this is all normal--a consequence of the problem with the SelfSSL-generated certificate. It's interesting that the site displays properly from the console using https://localhost/Test and https://USP0104DAT/Test, but doesn't display using https://FQDN/Test --the only URL that contains the name that appears within the SelfSSL-generated certificate. If there's truly a problem with the certificate, however, then why does https://FQDN/Test display properly from my client PCs?

    Friday, March 21, 2008 11:22 AM
  • User989702501 posted

    Cool, now we can see the cs-username field.

    First - localhost - IE auto login as it know is local intranet zone, so you see the following:
    401.2,401.1 - IE try anonymous access first
    301, 200, IE auto login and redirect to default doc.

    Second - Servername - Similar exp.. it works

    Third - FQDN - mm.... funny it give you 401.1. Is this basic or windows auth ? you notice that your username wasn't even record in the log file. USP0104DAT\Chris, it is always - anonymous.

    Can you try again in http ? the SSL is working so https://fqdn should work also. but anyway, leave it first... I'm wondering why fqdn doesn't works when you got prompt for login.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Sunday, March 23, 2008 1:06 AM
  • User832234374 posted


    First - localhost - IE auto login as it know is local intranet zone, so you see the following:
    401.2,401.1 - IE try anonymous access first
    301, 200, IE auto login and redirect to default doc.

    Second - Servername - Similar exp.. it works

    Thanks for the explanations, Bernard! I'm curious; why did the first example contain both a 301 and a 200...but the second example contained just a 200? (Both examples work.)


    Third - FQDN - mm.... funny it give you 401.1. Is this basic or windows auth ? you notice that your username wasn't even record in the log file. USP0104DAT\Chris, it is always - anonymous.

    The Test directory is configured for "Integrated Windows authentication" only. Strange, isn't it, that the username (or at least the attempt) isn't recorded in the log?


    Can you try again in http ? the SSL is working so https://fqdn should work also. but anyway, leave it first... I'm wondering why fqdn doesn't works when you got prompt for login.

    How do you mean "Can you try again in http?" I'm not sure I understand what you're asking.

    FYI: When I disable the "Require secure channel (SSL)" for the /Test directory and then attempt to browse to http://FQDN/Test, I'm still repeatedly prompted for my credentials; after three attempts, I'm still greeted with a 401.1 error. http://localhost/Test still displays fine. http://USP0104DAT/Test still prompts me for my credentials, accepts my credentials, and still displays fine. Note that all three of these URLs do not contain the https.

    Sunday, March 23, 2008 7:30 PM
  • User989702501 posted

    First - because you are browsing to /test, IIS check if this is a file or directory and give it and courtesy / at the end and found the default document. Second example was you are accessing telling browser to access the /test/ folder, IIS read its config and give you the default.htm directly. so you don't see 301 move response from IIS.

    Third, I just think of this -
    You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
    http://support.microsoft.com/?id=896861

    it was quite hot after sp1 released....

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Sunday, March 23, 2008 10:44 PM
  • User832234374 posted

    Good catch, Bernard! That KB article describes my problem almost exactly! 

    SYMPTOMS
    When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or IIS 6, you may receive an error message that resembles the following:

    HTTP 401.1 - Unauthorized: Logon Failed

    This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.

    Note: You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.

    CAUSE
    This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

    It's not clear to me whether my server "has a name that is mapped to the local loopback address"; however, since the symptom described in the article is nearly identical to what I'm experiencing, that must be the case. The only difference in the "symptom" is that my "HTTP Error 401.1 - Unauthorized" error text reads: "Access is denied due to invalid credentials." But that's basically the same thing as "Logon failed".

     

    FYI, I have Windows Server 2003 SP2 installed on this server; however, the KB article indicates that this error occurs by design starting with SP1 and, presumably therefore, is not fixed in SP2 and will not be fixed in a future update. IMO, this design change seems like a nasty side-effect...and a very confusing situation to the average person!

    According to the KB article, the following event is supposed to be written to the Security Event log:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 537

    However, this does not appear in my Security Event log. Perhaps the KB article is incorrect about that item...or perhaps SP2 eliminates the logging.

     

    In any case, it seems that this "problem" is nothing to be concerned about--it's no longer possible to browse to a local web site using an FQDN that differs from the name of the computer.

    Thanks again for your help! From your comment about this being 'quite hot after SP1 was released', it sounds as though a lot of other people were burned by this also!

    Thursday, March 27, 2008 6:43 PM
  • User989702501 posted

    So you got it fixed ?

    For the event log, I think you need to enable the auditing first.

    Saturday, March 29, 2008 12:46 AM
  • User832234374 posted

    Fixed? No, not really. According to the KB article you referred me to, it's no longer possible to browse to a local web site using an FQDN that differs from the name of the computer--so I have to remind myself to use the name of the computer (i.e., http://USP0104DAT/Test), instead of the FQDN, when browsing on the server.

    Saturday, March 29, 2008 12:51 AM
  • User989702501 posted

    oh, I never experience this in my setup :) 
    I got sp2 as well, have you try the any of the method ?

    Saturday, March 29, 2008 12:55 AM
  • User832234374 posted

    Is your computer name different than the first part of the FQDN--like mine is?

    Which methods are you referring to? There are two workarounds listed in the KB article ("Disable the loopback check" or "Specify host names"), but I'd rather not make either change due to not understanding the security implications.

    Saturday, March 29, 2008 1:05 AM
  • User989702501 posted

    The loopback check is only prevent attacks from local computer, so if the box is secure locally, I doubt the is risk. This is a special feature MS put in in SP1, and no change in SP2. I disable the check and I can use fqdn locally. My host name is R2, fqdn is my.abctest.com (via hosts file). and it works.

    It is up to you, whether to use netbios on local host or fqdn (via the methods).

    Saturday, March 29, 2008 1:31 AM