[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

HTTP Error 401 - Unauthorized: Access is denied due to invalid credentials

Posted on 2009-02-18
7
Medium Priority
?
10,184 Views
Last Modified: 2013-11-21
- IIS7
- Win2008
- Terminal Services (remote apps)
- Logged onto an XP computer as Admin, on the same domain that the server is on.

Browsing to - http://10.10.10.1/ts
webpage appears fine

Browsing to http://desktop.st-marks.uk/ts 
fails with above error.

PING the 'desktop.st-marks' address and it indeed resolves to 10.10.10.1.
Firewall on server OFF for testing

Any ideas?
0
Comment
Question by:Pete
  • 4
  • 3
7 Comments
 
LVL 22

Expert Comment

by:cj_1969
ID: 23671876
Are you connecting from the machine that has IIS on it or from another machine?
The error makes me think that the server is using local credentials (and allowing it) when accessing it by IP and that when using the FQDN that it is defaulting to trying to authenticate against the domain ... and your local credentials are not working, causing the error.

See if accessing the machine with just the  name of them achine (not using the domain) works.
0
 
LVL 1

Author Comment

by:Pete
ID: 23672492
I am connecting from a machine on the network (not the server that has iis).
on the iis server http://servername/ts works, but http://desktop.st-marks/ts gives the 401 error.
Another note - my 2 machines (work and from home) that I have been using for testing since the start of the project are working fine using the desktop.st-marks address. I have installed 3 x CAL (per device) would that have made any difference? My TS Licensing config is shown as 'no errors' but once connected from a client the licenses on the server never show as actually being used, but 3 x TEMPORARY PER DEVICE CAL show as being used. Maybe it should be per user CAL? maybe not related at all?
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 23673142
I just realized that ts=terminal services.
My guess is that this is a ts configuration issue.

Ok, theory here ... but from reading this page ... http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/b88241c0-cc72-4cc9-8c3c-31156cfec0d5/  ... my guess is that the application has created bindings in its configuration file to the machine name.  You will need to find out where that configuration is (check control panels and see if there is a config option for the app there) and add the FQDN as something that the application is to respond to.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 22

Expert Comment

by:cj_1969
ID: 23673188
0
 
LVL 1

Author Comment

by:Pete
ID: 23676067
it is now working from everywhere after enabling 'basic authentication' on the TS virtual dir. what are the security implications of doing this?
0
 
LVL 22

Accepted Solution

by:
cj_1969 earned 2000 total points
ID: 23681103
The problem is the domain reference ... I can tell from the problem that this does not match your AD domain name, which is why basic authentication is working.

The problem ... the external domain name you are using is being considered an Internet domain and as such the browser will not pass the logged in credentials in an encrypted form, it will only do this for Intranet sites.

The security implication is that you are now passing the login ID and password in clear text across the Internet ... anyone getting on a LAN segment that your packets are traversing could sniff the packets as you are logging in and get the credentials.

To resolve this there are two things you can do:
1. (The preferred method) Add the domain to the intranet zones for all machines on your network.
2. Connect via SSL.  This will provide encryption for the data stream so that the packets will be encrypted even though the data flowing through the stream is not.
0
 
LVL 1

Author Comment

by:Pete
ID: 23709905
I understand the rpoblem now, and adding the site seems a simple fix - however:
still gives the 401 error after closing and ALT-F5 on IE7 etc
 
Thanks again
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question