IIS Windows Integrated Auth, not passing domain\user
Ayyy, fixed it :)
just needed to check Enable Kernel-mode authentication in the Authentication setting for Windows Authentication in the Application/login/ site.
i noticed it said to keep it enabled if using custom identities for the app pool.
Related videos on Youtube
user2983931
Updated on September 18, 2022Comments
-
user2983931 over 1 year
I have two servers. both running IIS7.5.
they both run the same version of a web based application which occupies several app pools (it runs as lots of little services and the like).
i have an excel plugin which connects to that application and can draw data out.
the only difference i know of between the two machines is that the working one runs all its app pools with the standard accounts, localsystem, apppoolidentity etc.
the failing one uses specific service accounts for most of its app pools (mainly the ones used by the web application).
the crux of the issue seems to be that on the working machine the exchange is as follows -
POST /Service/Hierarchy.svc - 80 - 10.100.69.49 - 200 0 0 0 GET /Application/login/login.dll - 80 DOM\Account 10.100.69.49 - 200 0 0 140
and on the failing server -
POST /Service/Hierarchy.svc - 80 - 10.100.69.49 - 200 0 0 0 GET /Application/login/login.dll - 80 - 10.100.69.49 - 401 2 5 358
note the account doesnt get passed.
all other settings that i can see, are the same except.... on that application/login/login.dll authentication settings, on the working server it is Negotiate then NTLM, on the failing server if I put it that way round then other parts of the application stop working with 401 challenges wanting credentials.
can anyone offer any advice on how to debug this?
thanks
edit: here's a trimmed down wireshark capture of the failed attempt.
GET /Application/login/login.dll HTTP/1.1 Authorization: Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgM...etc Host: MachineName HTTP/1.1 401 Unauthorized Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate oYGNMIGKoAMKAQGhC...etc WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Wed, 20 Apr 2016 05:42:58 GMT Content-Length: 1293 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> ...html <title>401 - Unauthorized: Access is denied due to invalid credentials.</title> ...html <div id="header"><h1>Server Error</h1></div> <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> ...html GET /Application/login/login.dll HTTP/1.1 Authorization: Negotiate oYILiTCCC4WgAwoBAa...etc Host: MachineName HTTP/1.1 401 Unauthorized Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate oX8wfaADCgEBonYEdGByBgk...etc WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Wed, 20 Apr 2016 05:42:58 GMT Content-Length: 1293 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> ...html <title>401 - Unauthorized: Access is denied due to invalid credentials.</title> ...html <div id="header"><h1>Server Error</h1></div> ...html <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> ...html
i know that the user in question has access to the urls in the requests, so i can call /Application/login/login.dll manually.
is
GET /Application/login/login.dll HTTP/1.1 Authorization: Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgM...etc Host: MachineName
where it tries to pass the username? could this be failing and that's why I don't see the user being passed?
thanks again
edit:
i'm seeing KRB5KRB_AP_ERR_MODIFIED in Wireshark which wasn't there before, also in the details it is listing the ServiceAccount which runs the AppPool.
so i'm thinking it might be related to this - Windows Authentication KRB5KRB_AP_ERR_MODIFIED
-
Greg Askew about 8 yearsYou need to confirm with a packet capture or Fiddler if the server is sending the WWW-Authenticate response, and if the client is sending the Authenticate: XXX request. More info here: blogs.msdn.microsoft.com/benjaminperkins/2011/09/14/…
-
user2983931 about 8 yearscheers Greg, i've added a capture, it looks like it is trying to Auth?
-