locked
Yet another HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials. RRS feed

  • Question

  • User-2143501165 posted

    I've migrated a few ASP.NET 2 pages from a development server to production and configured them the same. However I can't get access to the production pages, with the error in the subject of this post being returned after 3 prompts for credentials.

    The web server is a W2K3 SP2 server. The website has a hostname setup and associated with it and DNS is configured appropriately. The website has it's own application pool which uses a domain account. The domain account being used is a member of the local IIS_WPG group and is also being used without problem in another application pool on the same server.

    The website has been configured to use Windows Authentication and the web.config file is also set to use this. I did initially think that I may need to follow the MS KB article which details how to perform the DisableLoopbackCheck registry change but I have other websites on this server configured in a similar manner (domain account for apppool, hostname used on site) and they function without issue.

    Wednesday, June 17, 2009 8:31 AM

Answers

All replies

  • User157784788 posted

    This still may be a permissions issue may be on web content. Ensure "Authenticated Users" are added READ permissions on web content.

    Download Procmon from www.sysinternals.com and reproduce the issue and check for "Access Denied" errors and fix those.

    If it does not help, enable Failure auditing from Local GP and check security event logs for failures.

    HTH.

    ~ Ganesh

    Wednesday, June 17, 2009 9:53 AM
  • User1632528892 posted

    Hi,

    Do the other web sites that use a domain account for their app pool use Integrated Windows Authentication ?

    The symptoms you describe sound like a Kerberos authentication failure. Refer to this KB article for an explanation of what is happening and how to fix it :

    How to use SPNs when you configure Web applications that are hosted on IIS 6.0

    Regards,

    Wednesday, June 17, 2009 9:57 AM
  • User1632528892 posted

    This still may be a permissions issue may be on web content. Ensure "Authenticated Users" are added READ permissions on web content
     

    If it was a permissions issue you would see a 401.3 not a 401.1

    Regards,

    Wednesday, June 17, 2009 10:02 AM
  • User157784788 posted

    You are Right!!  Paul.

    Yeah, this may be SPN issue, but check Failure Auditing, that will give you clue if this is kerberos failure.

    ~ Ganesh

    Wednesday, June 17, 2009 10:08 AM
  • User-2143501165 posted

    Yes, they use Integrated Windows Authentication.

    I've been in a meeting all afternoon but will check the article posted and report back. Thanks.

    Wednesday, June 17, 2009 12:17 PM
  • User-2143501165 posted

    I've ran setspn to check the spn's set for the domain account and the hostname is listed among them; HTTP/biz

    I've checked the NTAuthenticationProviders setting for the site in IIS and there's no value for the property which according to KB 215383, means it will default to Negotiate, NTLM.

    Any other ideas?

    Thursday, June 18, 2009 7:32 AM
  • User1632528892 posted

    I've ran setspn to check the spn's set for the domain account and the hostname is listed among them; HTTP/biz
     

    In your first post you said,

    "The website has a hostname setup and associated with it and DNS is configured appropriately"

    Does the hostname that the clients are typing into their browsers match any of the SPN's that you have got configured for your domain account ?

    Is that hostname a DNS CNAME or is it an A record ?

    Is the web content for your application stored locally or remotely ?

    Regards,

    Thursday, June 18, 2009 8:54 AM
  • User-2143501165 posted

    Does the hostname that the clients are typing into their browsers match any of the SPN's that you have got configured for your domain account ?

    The hostname, biz, matches the SPN HTTP/biz

    Is that hostname a DNS CNAME or is it an A record ?

    According to my colleague it's a CNAME.

    Is the web content for your application stored locally or remotely ?

    The content is stored locally on the server.

    Thursday, June 18, 2009 9:20 AM
  • User1632528892 posted

    Hi,

    OK, if you're using a CNAME its possible that your client machines are not requesting the correct service prinipal name when they connect - a Wireshark capture would show this.

    However, there are two possible ways to resolve this. You can either use a DNS A record instead of a CNAME or you can try applying this hotfix :

    Error message in Internet Explorer when you try to access a Web site that requires Kerberos authentication on a Windows XP-based computer: "HTTP Error 401 - Unauthorized: Access is denied due to invalid credentials"

    This may explain why your clients are not falling back to NTLM.

    Regards,

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, June 18, 2009 9:42 AM
  • User157784788 posted

    To check if this is SPN issue or Kerberos issue, You may want to use following Tool which would help to narrow down this problem.

    DelegConfig v1 (Delegation / Kerberos Configuration Tool)
    http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434

    Install this tool and Run it.

    HTH.

    ~ Ganesh

     

    Thursday, June 18, 2009 9:53 AM
  • User-2143501165 posted

    Thanks Paul. Looks like this could be the issue. Forcing the site to use NTLM seems to work as an interim solution. I'll pass this onto the guys that deal with DNS.

    Thanks for your help.

    Thursday, June 18, 2009 10:57 AM
  • User-2143501165 posted

    Thanks for participating and offering advice.

    Thursday, June 18, 2009 10:57 AM
  • User1632528892 posted

    Hi,

    OK, please let us know how you get on and what action you take to fix the issue. I'm sure others would be interested to know about this problem.

    Regards,

    Thursday, June 18, 2009 1:48 PM