locked
BAM Portal "Access is denied" 401.2 in BizTalk 2016 Dev (IIS7) RRS feed

  • Question

  • I have a fresh install of BT2016 Developer on Win2012/R2.

    I've seen this asked before, but didn't see clear answer, or if the question applied to 2016 or not. 
    My BAMAppPoolUser is a member of IIS_IUSRS (there is no IIS_WPG in IIS7). 

    For the Authentication settings I have "Anonymous Auth" Enabled and "ASO.NET Impersonation" Enabled and "Form Auth" Disabled. 

    I've granted read access to "D:\Program Files (x86)\Microsoft BizTalk Server 2016\BAMPortal" to IIS_USRS and my BAM App Pool account. 

    I've tried with Edge and Chrome browsers. I'm logged on with my personal account which is in ad\BTAdmin and local system admin. 

    Server Error in '/BAM' Application.

    Access is denied.

    Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

    Error message 401.2.: Unauthorized: Logon failed due to server configuration.  Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.  Contact the Web server's administrator for additional assistance.

    -----
    Examples from IIS Logs: 

    2017-04-18 19:26:24 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 359
    2017-04-18 19:37:33 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 15
    2017-04-18 19:37:37 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 0

    Thanks,

    Neal Walters 






    Tuesday, April 18, 2017 7:40 PM

Answers

  • I have a fresh install of BT2016 Developer on Win2012/R2.

    I've seen this asked before, but didn't see clear answer, or if the question applied to 2016 or not. 
    My BAMAppPoolUser is a member of IIS_IUSRS (there is no IIS_WPG in IIS7). 

    For the Authentication settings I have "Anonymous Auth" Enabled and "ASO.NET Impersonation" Enabled and "Form Auth" Disabled. 

    I've granted read access to "D:\Program Files (x86)\Microsoft BizTalk Server 2016\BAMPortal" to IIS_USRS and my BAM App Pool account. 

    I've tried with Edge and Chrome browsers. I'm logged on with my personal account which is in ad\BTAdmin and local system admin. 

    Server Error in '/BAM' Application.

    Access is denied.

    Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

    Error message 401.2.: Unauthorized: Logon failed due to server configuration.  Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.  Contact the Web server's administrator for additional assistance.

    -----
    Examples from IIS Logs: 

    2017-04-18 19:26:24 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 359
    2017-04-18 19:37:33 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 15
    2017-04-18 19:37:37 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 0

    Thanks,

    Neal Walters 






    Hi NEal,

    You have to have the Windows Authentication enabled for the BAM portal to work, once you enable the WindowsAuthentication, your user will be recognized and you will be able to access the portal as a usual website. You need not use ASP.NEt authentication for BAM portal, just Anaonymous and Windows authentication are sufficient. You need to enable the Windows authentication from the features of Windows first.


    Mandar Dharmadhikari


    Wednesday, April 19, 2017 3:00 AM
    Moderator
  • Working now.  Here are three screen shots. 

    1st two are to install the Feature on Win2012/R2.  Couldn't quite get all the boxes on one screen shot. 
    I turned on both BASIC and WINDOWS (because might need BASIC in the future for some other web services). 

    Third one is the IIS Authentication config after installing the feature. 

    Thanks for everyone's help. 

    Neal 

    • Marked as answer by Neal Walters Wednesday, April 19, 2017 2:52 PM
    Wednesday, April 19, 2017 2:24 PM

All replies

  • Hi Neal

    Can you try browsing to the BAM portal from another machine(not this BizTalk server) - so,

    http://<servername>/BAM/

    Also, did you review the below thread-

    https://social.msdn.microsoft.com/Forums/en-US/4b91dfa6-370c-4f16-9136-b89efda6684a/bam-portal-access-is-denied?forum=biztalkgeneral


    Thanks Arindam

    Wednesday, April 19, 2017 1:46 AM
    Moderator
  • I have a fresh install of BT2016 Developer on Win2012/R2.

    I've seen this asked before, but didn't see clear answer, or if the question applied to 2016 or not. 
    My BAMAppPoolUser is a member of IIS_IUSRS (there is no IIS_WPG in IIS7). 

    For the Authentication settings I have "Anonymous Auth" Enabled and "ASO.NET Impersonation" Enabled and "Form Auth" Disabled. 

    I've granted read access to "D:\Program Files (x86)\Microsoft BizTalk Server 2016\BAMPortal" to IIS_USRS and my BAM App Pool account. 

    I've tried with Edge and Chrome browsers. I'm logged on with my personal account which is in ad\BTAdmin and local system admin. 

    Server Error in '/BAM' Application.

    Access is denied.

    Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

    Error message 401.2.: Unauthorized: Logon failed due to server configuration.  Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.  Contact the Web server's administrator for additional assistance.

    -----
    Examples from IIS Logs: 

    2017-04-18 19:26:24 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 359
    2017-04-18 19:37:33 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 15
    2017-04-18 19:37:37 fe80::65a0:cfd6:6532:aecd%12 GET /BAM - 80 - fe80::65a0:cfd6:6532:aecd%12 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 401 5 0 0

    Thanks,

    Neal Walters 






    Hi NEal,

    You have to have the Windows Authentication enabled for the BAM portal to work, once you enable the WindowsAuthentication, your user will be recognized and you will be able to access the portal as a usual website. You need not use ASP.NEt authentication for BAM portal, just Anaonymous and Windows authentication are sufficient. You need to enable the Windows authentication from the features of Windows first.


    Mandar Dharmadhikari


    Wednesday, April 19, 2017 3:00 AM
    Moderator
  • For the Authentication settings I have "Anonymous Auth" Enabled and "ASO.NET Impersonation" Enabled and "Form Auth" Disabled. 

    Integrated Authentication (ONLY) should be enabled. Anonymous and others (ASP.Net/Forms) should be disabled.

    Please remember that access to BAM Views is granted through AD Group Membership so it is critical that the client be authenticated and seeing as IE is the only supported browser, "Integrated Authentication" supporting NTLM and/or Kerberos is the only way to go.

    Regards.


    Wednesday, April 19, 2017 6:23 AM
  • Yes, I read that other post; that's why I listed all the various values in my post to show that I think I covered all those ideas. 


    Access from another machine gives this error: 

    401 - Unauthorized: Access is denied due to invalid credentials.

    You do not have permission to view this directory or page using the credentials that you supplied.

    Neal 

    Wednesday, April 19, 2017 1:40 PM
  • Below is what I see, no Windows Auth there.  Is that a separate feature that needs to be installed? 

    https://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx

    Thanks,

    Neal 

    Wednesday, April 19, 2017 1:49 PM
  • HI Neal,

    You need to enable the Windows Authentication by selecting it in enable features on or off from your server. Refer sample screen shot for my Windows 8.1 features, you can enable in the same way for yor machine

    also refer below link

    https://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx


    Mandar Dharmadhikari

    Wednesday, April 19, 2017 1:55 PM
    Moderator
  • Ok.  It's a new server.  Seems like that should have been in the prereqs or install notes.  I'll try it shortly. 

    Neal 

    Wednesday, April 19, 2017 2:09 PM
  • Working now.  Here are three screen shots. 

    1st two are to install the Feature on Win2012/R2.  Couldn't quite get all the boxes on one screen shot. 
    I turned on both BASIC and WINDOWS (because might need BASIC in the future for some other web services). 

    Third one is the IIS Authentication config after installing the feature. 

    Thanks for everyone's help. 

    Neal 

    • Marked as answer by Neal Walters Wednesday, April 19, 2017 2:52 PM
    Wednesday, April 19, 2017 2:24 PM