locked
Not Authorized HTTP Error 401. The requested resource requires user authentication. RRS feed

  • Question

  • Hi All,

    I have MDS web application on one server and MDS DB on another, both in same domain .

    MDS web application is created as new website on same IIS with SharePoint and have their own port assign

    In IIS Windows Authentication is added and enabled.

    Users do have function permission and module enabled.

    MDS is accessible only on server where web application is.

    When it is accessed from any computer within domain error is

    Not Authorized

    HTTP Error 401. The requested resource requires user authentication.

    Can anyone offer any suggestions?

    Thanks

    Zorko
    Monday, September 30, 2013 11:07 AM

Answers

  • Hi Jinchun 
    
    It was about Kerberos authentication.
    
    I set 'Load User profile' to True in MDS Application pool\Advanced Settings 
    
    and uncheck 'Enable Kernel-mode authentication' in MDS site\Authentication\Windows authentication
    \Advanced settings
    
    Regards
    Zorko


     
    • Marked as answer by Zorko_ Wednesday, October 2, 2013 12:44 PM
    Wednesday, October 2, 2013 12:44 PM

All replies

  • Did you authorized DOMAIN USERS or GROUPS to MDS? if not, you can authorize them via permission menu item in WebUI in MDS server and then try to access it with that user account from another server.

    Regards,

    Reza

    SQL Server MVP

    Blog:   http://rad.pasfu.com  Twitter:   LinkedIn:

    SQL Server Integration Services 2012 Tutorial Videos:     http://www.radacad.com/CoursePlan.aspx?course=1

    Monday, September 30, 2013 11:32 AM
  • Hi Reza,

    I did authorized some users via Edit permission on MDS IIS, but still had same error.

    Regards

    Zorko


    Monday, September 30, 2013 1:28 PM
  • Hi Zorko,

    The issue may happen in case:
    1. The Master Data Service(MDS) web application is running under a domain user account
    2. You didn't register a Service Principal Name(SPN) for the account
    3. You are using fully qualified domain name(FQDN) or host name to access the MDS
    4. You are able to access the MDS by IP address(http://<ip address>)
    If I am right, it is because of the browser choose to use Kerberos authentication to connect to the MDS.

    So then, to fix the issue, please:
    Register SPN for the application pool account. Enable the delegation.
    Or, please force the web site to use NTLM authentication only.

    For more information, please see:
    How to use SPNs when you configure Web applications that are hosted on Internet Information Services: http://support.microsoft.com/kb/929650
    Forcing NTLM Authentication (IIS 6.0): http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx?mfr=true

    Thanks,
    Jinchun Chen


    Jinchun Chen(JC)
    TechNet Community Support

    Wednesday, October 2, 2013 8:45 AM
  • Hi Jinchun 
    
    It was about Kerberos authentication.
    
    I set 'Load User profile' to True in MDS Application pool\Advanced Settings 
    
    and uncheck 'Enable Kernel-mode authentication' in MDS site\Authentication\Windows authentication
    \Advanced settings
    
    Regards
    Zorko


     
    • Marked as answer by Zorko_ Wednesday, October 2, 2013 12:44 PM
    Wednesday, October 2, 2013 12:44 PM
  • Hi Jinchun 
    
    It was about Kerberos authentication.
    
    I set 'Load User profile' to True in MDS Application pool\Advanced Settings 
    
    and uncheck 'Enable Kernel-mode authentication' in MDS site\Authentication\Windows authentication
    \Advanced settings
    
    Regards
    Zorko


     

    I Agree to Kerberos findings.. but I have to solve by changing to NTLM authenticaion.. I was unable to solve by adding SPNs since I'm no domain admin. The settings below did not resolve without the SPNs either, but I think they will work if Kerberos settings are in place.

    Great Post Zorko_!


    Vinicius Paluch

    Tuesday, January 7, 2014 2:01 PM