Getting 401 when connecting to an intranet via VPN connection
I have an internal web site available to domain users. When the user is local and logged into the domain they can access the site fine. When they are remote and connected to the network (but not logged into the domain) via VPN they get a "401 - Unauthorized: Access is denied due to invalid credentials." after being prompted for their credentials. Why wont it accept their credentials? I tried adding folder permissions but that didn't seem to help.
IIS config:
Anonymous Authentication = disabled
ASP.Net Impersonation = enabled << my site needs to know who they are
Window Authentication = enabled
The server is win 2008 r2 running iis 7
Thanks.
IIS config:
Anonymous Authentication = disabled
ASP.Net Impersonation = enabled << my site needs to know who they are
Window Authentication = enabled
The server is win 2008 r2 running iis 7
Thanks.
Hi,
silly question but does this happen to all "external" users? Do the use "DOMAIN\Username" as username in the authentication pop up window?
(because most endusers are just entering the username part - not the login)
Perhaps its a also a configuration issue in regards to DisableLoopbackCheck, because the server has to do the authentication:
http://support.microsoft.com/kb/896861
Could you verify the event log for further information / error messages?
What does the IIS log tell you?
Which 401 - there are multiple sub identifiers?
HTH
Rainer
silly question but does this happen to all "external" users? Do the use "DOMAIN\Username" as username in the authentication pop up window?
(because most endusers are just entering the username part - not the login)
Perhaps its a also a configuration issue in regards to DisableLoopbackCheck, because the server has to do the authentication:
http://support.microsoft.com/kb/896861
Could you verify the event log for further information / error messages?
What does the IIS log tell you?
Which 401 - there are multiple sub identifiers?
HTH
Rainer
ASKER
>> VPN is SonicWall
>> yes I can ping the server by name, there's no site name it's a folder in the root
>> nothing in the event log or in the IIS logs
>> all users have the problem, the "Authentication Required" dialog pops-up, they key in DOMAIN\Username and password, hit log in, all the fields are blanked out, no error message or anything, do this 3 or 5 time then you get the 401 - Unauthorized: Access is denied due to invalid credentials." error.
>> if a user connects via the VPN, RDPs to another PC with their same cridentials and hits the URL from the RDP session everything works fine.
Thanks
>> yes I can ping the server by name, there's no site name it's a folder in the root
>> nothing in the event log or in the IIS logs
>> all users have the problem, the "Authentication Required" dialog pops-up, they key in DOMAIN\Username and password, hit log in, all the fields are blanked out, no error message or anything, do this 3 or 5 time then you get the 401 - Unauthorized: Access is denied due to invalid credentials." error.
>> if a user connects via the VPN, RDPs to another PC with their same cridentials and hits the URL from the RDP session everything works fine.
Thanks
If you check the IIS log, does the VPN client's IP show up as the client address or does the IP on the internal interface of the SonicWall show up as the client?
It's possible that the VPN appliance is performing a proxy rather than direct passthrough. The proxy component may be handling the traffic wrong if IIS is configured for Windows (Integrated) Authentication. I'm not personally familiar with SonicWall, so I'm not sure if the product proxies or supports Integrated Authentication.
It's possible that the VPN appliance is performing a proxy rather than direct passthrough. The proxy component may be handling the traffic wrong if IIS is configured for Windows (Integrated) Authentication. I'm not personally familiar with SonicWall, so I'm not sure if the product proxies or supports Integrated Authentication.
Hi,
Some points:
1. Do the users who are trying to connect from remote are having their accounts in same domain?
If not then they would be ask for user name and password. Because asp.net perform windows authentication with the domain's existing users.
2. Sometimes windows authentication asks for user name and password. Because of browser security settings. Do you face the very same problem in specific browser or all. Because I faced this specific problem in IE.
3. I am not sure but looking to your scenario it seems to me the famous problem known as Double Hop attached with Windows Authentication.
For e.g. when user connects via VPN he/she enters the correct username and password. These username and password are ok. But then the VPN (I am still assuming as I have earlier shared that I am not so much well versed with VPN) makes call to the website resources or website on behalf of its some pre-existing user. So this type of request is termed as Double Hop.
Some points:
1. Do the users who are trying to connect from remote are having their accounts in same domain?
If not then they would be ask for user name and password. Because asp.net perform windows authentication with the domain's existing users.
2. Sometimes windows authentication asks for user name and password. Because of browser security settings. Do you face the very same problem in specific browser or all. Because I faced this specific problem in IE.
3. I am not sure but looking to your scenario it seems to me the famous problem known as Double Hop attached with Windows Authentication.
For e.g. when user connects via VPN he/she enters the correct username and password. These username and password are ok. But then the VPN (I am still assuming as I have earlier shared that I am not so much well versed with VPN) makes call to the website resources or website on behalf of its some pre-existing user. So this type of request is termed as Double Hop.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can they ping the server by name? Can they ping the site by name? Do both pings resolve to the correct IP address?
Is there anything listed in the event logs on the web server?