Getting 401 when connecting to an intranet via VPN connection

Posted on 2012-08-25
Last Modified: 2012-08-30
I have an internal web site available to domain users. When the user is local and logged into the domain they can access the site fine. When they are remote and connected to the network (but not logged into the domain) via VPN they get a "401 - Unauthorized: Access is denied due to invalid credentials." after being prompted for their credentials. Why wont it accept their credentials? I tried adding folder permissions but that didn't seem to help.

IIS config:
Anonymous Authentication = disabled
ASP.Net Impersonation = enabled     << my site needs to know who they are
Window Authentication = enabled

The server is win 2008 r2 running iis 7

Question by:HBHoffman
    LVL 6

    Expert Comment

    What VPN solution is being used?

    Can they ping the server by name?  Can they ping the site by name?  Do both pings resolve to the correct IP address?

    Is there anything listed in the event logs on the web server?
    LVL 44

    Expert Comment

    by:Rainer Jeschor
    silly question but does this happen to all "external" users? Do the use "DOMAIN\Username" as username in the authentication pop up window?
    (because most endusers are just entering the username part - not the login)
    Perhaps its a also a configuration issue in regards to DisableLoopbackCheck, because the server has to do the authentication:

    Could you verify the event log for further information / error messages?
    What does the IIS log tell you?

    Which 401 - there are multiple sub identifiers?

    LVL 8

    Author Comment

    >> VPN is SonicWall
    >> yes I can ping the server by name, there's no site name it's a folder in the root
    >> nothing in the event log or in the IIS logs

    >> all users have the problem, the "Authentication Required" dialog pops-up, they key in DOMAIN\Username and password, hit log in, all the fields are blanked out, no error message or anything, do this 3 or 5 time then you get the 401 - Unauthorized: Access is denied due to invalid credentials." error.

    >> if a user connects via the VPN, RDPs to another PC with their same cridentials and hits the URL from the RDP session everything works fine.

    LVL 6

    Expert Comment

    If you check the IIS log, does the VPN client's IP show up as the client address or does the IP on the internal interface of the SonicWall show up as the client?

    It's possible that the VPN appliance is performing a proxy rather than direct passthrough.  The proxy component may be handling the traffic wrong if IIS is configured for Windows (Integrated) Authentication.  I'm not personally familiar with SonicWall, so I'm not sure if the product proxies or supports Integrated Authentication.
    LVL 16

    Expert Comment

    by:Vikram Singh Saini

    Some points:

    1. Do the users who are trying to connect from remote are having their accounts in same domain?

    If not then they would be ask for user name and password. Because perform windows authentication with the domain's existing users.

    2. Sometimes windows authentication asks for user name and password. Because of browser security settings. Do you face the very same problem in specific browser or all. Because I faced this specific problem in IE.

    3. I am not sure but looking to your scenario it seems to me the famous problem known as Double Hop attached with Windows Authentication.

    For e.g. when user connects via VPN he/she enters the correct username and password. These username and password are ok. But then the VPN (I am still assuming as I have earlier shared that I am not so much well versed with VPN) makes call to the website resources or website on behalf of its some pre-existing user. So this type of request is termed as Double Hop.
    LVL 6

    Accepted Solution

    Double Hop generally occurs with CIFS/UNC shares and OS-level calls.  Unless the workstation that is using the VPN is joined to the domain (meaning, they're not remoting in from their home computer, they're doing it from a company computer), Internet Explorer will not use the VPN credentials because those aren't "Windows" credentials from the sense that they don't generate a standard Kerberos TGT (ticket granting ticket) like logging into the domain locally would.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now