Getting 401 when connecting to an intranet via VPN connection

I have an internal web site available to domain users. When the user is local and logged into the domain they can access the site fine. When they are remote and connected to the network (but not logged into the domain) via VPN they get a "401 - Unauthorized: Access is denied due to invalid credentials." after being prompted for their credentials. Why wont it accept their credentials? I tried adding folder permissions but that didn't seem to help.

IIS config:
Anonymous Authentication = disabled
ASP.Net Impersonation = enabled     << my site needs to know who they are
Window Authentication = enabled

The server is win 2008 r2 running iis 7

Bob HoffmanDeveloperAsked:
Who is Participating?
page1985Connect With a Mentor Commented:
Double Hop generally occurs with CIFS/UNC shares and OS-level calls.  Unless the workstation that is using the VPN is joined to the domain (meaning, they're not remoting in from their home computer, they're doing it from a company computer), Internet Explorer will not use the VPN credentials because those aren't "Windows" credentials from the sense that they don't generate a standard Kerberos TGT (ticket granting ticket) like logging into the domain locally would.
What VPN solution is being used?

Can they ping the server by name?  Can they ping the site by name?  Do both pings resolve to the correct IP address?

Is there anything listed in the event logs on the web server?
Rainer JeschorCommented:
silly question but does this happen to all "external" users? Do the use "DOMAIN\Username" as username in the authentication pop up window?
(because most endusers are just entering the username part - not the login)
Perhaps its a also a configuration issue in regards to DisableLoopbackCheck, because the server has to do the authentication:

Could you verify the event log for further information / error messages?
What does the IIS log tell you?

Which 401 - there are multiple sub identifiers?

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Bob HoffmanDeveloperAuthor Commented:
>> VPN is SonicWall
>> yes I can ping the server by name, there's no site name it's a folder in the root
>> nothing in the event log or in the IIS logs

>> all users have the problem, the "Authentication Required" dialog pops-up, they key in DOMAIN\Username and password, hit log in, all the fields are blanked out, no error message or anything, do this 3 or 5 time then you get the 401 - Unauthorized: Access is denied due to invalid credentials." error.

>> if a user connects via the VPN, RDPs to another PC with their same cridentials and hits the URL from the RDP session everything works fine.

If you check the IIS log, does the VPN client's IP show up as the client address or does the IP on the internal interface of the SonicWall show up as the client?

It's possible that the VPN appliance is performing a proxy rather than direct passthrough.  The proxy component may be handling the traffic wrong if IIS is configured for Windows (Integrated) Authentication.  I'm not personally familiar with SonicWall, so I'm not sure if the product proxies or supports Integrated Authentication.
Vikram Singh SainiSoftware Engineer cum AD DeveloperCommented:

Some points:

1. Do the users who are trying to connect from remote are having their accounts in same domain?

If not then they would be ask for user name and password. Because perform windows authentication with the domain's existing users.

2. Sometimes windows authentication asks for user name and password. Because of browser security settings. Do you face the very same problem in specific browser or all. Because I faced this specific problem in IE.

3. I am not sure but looking to your scenario it seems to me the famous problem known as Double Hop attached with Windows Authentication.

For e.g. when user connects via VPN he/she enters the correct username and password. These username and password are ok. But then the VPN (I am still assuming as I have earlier shared that I am not so much well versed with VPN) makes call to the website resources or website on behalf of its some pre-existing user. So this type of request is termed as Double Hop.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.