IIS Authentication Error 401
Hi EE,
Users are having issues connecting with our intranet website error attached and IIS authentication method.
Troubleshooting so far:
- I can connect to the site remotely via my own credentials
- IIS ACL privileges read/modify/execute for the site's files are assigned to the same groups the users are a part of.
Any assistance issue appreciated.
Thank you.
401-Error.PNG
IIS-Auth-Method.PNG
Users are having issues connecting with our intranet website error attached and IIS authentication method.
Troubleshooting so far:
- I can connect to the site remotely via my own credentials
- IIS ACL privileges read/modify/execute for the site's files are assigned to the same groups the users are a part of.
Any assistance issue appreciated.
Thank you.
401-Error.PNG
IIS-Auth-Method.PNG
ASKER
Hi Dan,
I can verify the servers SPN.
'Have you checked to see if the users that are receiving the 401 error, have issues with their AD accounts?'
They can log in just fine and don't have any issues accessing their applications/intranet/prin
Thank you.
I can verify the servers SPN.
'Have you checked to see if the users that are receiving the 401 error, have issues with their AD accounts?'
They can log in just fine and don't have any issues accessing their applications/intranet/prin
Thank you.
How is the application's AppPool configured? What Identity is it set to use? Does the AppPool identity have access to the content?
Dan
Dan
ASKER
Hi Dan,
Please see the attached pic.
What do you mean by; Does the AppPool identity have access to the content?
Thank you.
IIS-App-Pool-metadata.PNG
Please see the attached pic.
What do you mean by; Does the AppPool identity have access to the content?
Thank you.
IIS-App-Pool-metadata.PNG
ASKER
Hi Dan,
I tried to add IIS_APPPOOL user to the site folder as per the following article:
https://serverfault.com/questions/81165/how-to-assign-permissions-to-applicationpoolidentity-account
But nothing appears I am running Windows Server 2008 R2.
Thank you.
I tried to add IIS_APPPOOL user to the site folder as per the following article:
https://serverfault.com/questions/81165/how-to-assign-permissions-to-applicationpoolidentity-account
But nothing appears I am running Windows Server 2008 R2.
Thank you.
Is "your" account a Domain or Server Admin?
Have you written the application or is this from a 3rd party? It would be helpful to know if the application using Pass Thru Authentication.
Reference link: Pass Thru Auth - https://technet.microsoft.com/en-us/library/cc730708(WS.10).aspx
Can you post the application's web.config?
I mentioned the AppPool Identity because if the webapp is not built to use Pass Thru Auth, the webapp is using the identity of the AppPool to access the content. If that ID does not have permissions, it could block access.
IIS Built In User & Group info: https://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis
Dan
Have you written the application or is this from a 3rd party? It would be helpful to know if the application using Pass Thru Authentication.
Reference link: Pass Thru Auth - https://technet.microsoft.com/en-us/library/cc730708(WS.10).aspx
Can you post the application's web.config?
I mentioned the AppPool Identity because if the webapp is not built to use Pass Thru Auth, the webapp is using the identity of the AppPool to access the content. If that ID does not have permissions, it could block access.
IIS Built In User & Group info: https://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis
Dan
ASKER
Hi Dan,
Server administrator, I will get the information for the rest of your queries tomorrow.
Any particular sections of the web.config you want me to post?
Thank you.
Server administrator, I will get the information for the rest of your queries tomorrow.
Any particular sections of the web.config you want me to post?
Thank you.
The whole file will do.
Is this an custom in-house written app or is it from a 3rd party?
Dan
Is this an custom in-house written app or is it from a 3rd party?
Dan
ASKER
Hi Dan,
The application is a produced by a 3rd party and doesn't use pass-through authentication according to the vendor
Attached is the web config.
Would installing basic authentication on the IIS server potentially resolve the issue?
https://www.iis.net/configreference/system.webserver/security/authentication/basicauthentication
Thank you.
web.config
The application is a produced by a 3rd party and doesn't use pass-through authentication according to the vendor
Attached is the web config.
Would installing basic authentication on the IIS server potentially resolve the issue?
https://www.iis.net/configreference/system.webserver/security/authentication/basicauthentication
Thank you.
web.config
Since this is a 3rd party vendor application, what is their recommended authentication setting? Is this a new install or has the app suddenly started acting up?
In order for me to make recommendations about what authentication method, I would need to know more about the application. My expectations would be that the vendor should make these recommendations since they wrote the app.
Since the vendor is saying no pass thru is being used, that means the application is running in the context of the identity of the AppPool that is supporting the web application.
The next place to look would be in the http logs to see what is throwing the 401 errors. Do you have http logging enabled as well as all the fields being included? Can you post some https logs?
Dan
In order for me to make recommendations about what authentication method, I would need to know more about the application. My expectations would be that the vendor should make these recommendations since they wrote the app.
Since the vendor is saying no pass thru is being used, that means the application is running in the context of the identity of the AppPool that is supporting the web application.
The next place to look would be in the http logs to see what is throwing the 401 errors. Do you have http logging enabled as well as all the fields being included? Can you post some https logs?
Dan
ASKER
Hi Dan,
Initially contacted the vendor with the issue, they are unsure according to them I have the correct IIS settings.
I will post the HTTPS logs tomorrow.
Thank you.
Initially contacted the vendor with the issue, they are unsure according to them I have the correct IIS settings.
I will post the HTTPS logs tomorrow.
Thank you.
ASKER
Hi Dan,
My apologies for the delays on this matter, I had to fly interstate (Cisco router issue), so I was unable to troubleshoot further. I have tried looking at the HTTPS logs, things are being logged but the 401 error doesn't appear anywhere.
Any ideas?
Thank you.
My apologies for the delays on this matter, I had to fly interstate (Cisco router issue), so I was unable to troubleshoot further. I have tried looking at the HTTPS logs, things are being logged but the 401 error doesn't appear anywhere.
Any ideas?
Thank you.
Can you post some of the log file entries? It will give me a better idea of what an http request is trying to do.
Dan
Dan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much for your assistance, took this back to the vendor and working on the issue now.
Can you verify the web server's SPNs?
Reference link: https://blogs.msdn.microsoft.com/webtopics/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-07-5/
Dan