HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.
Some new users to my web site cannot log on due to 401.2 and 401.1 errors. Other new users connect without any issue. Users have the DoD CAC smartcard and they are valid for logging into their workstations. All the certificates point to the same root authority, DOD Root 3, but have different intermediate certificates which are DOD CA 38 to DOD CA 51. Users with intermediate certificates numbered 48 or higher get the 401.2 error and cannot log in.
I assume the problem is the more recent intermediate certificates are not installed or configured correctly. I installed the most recent certs from the cert authority using their tool, InstallRoot.exe. MMC confirmed the intermediate certs are in the Certificates (Local Computer) -> Intermediate Certification Authorities -> Certificates.
The server uses the Axway tool to validate certificates. In the Application Event Log for the attempt, it said "Revocation Status: Good" so I assume my OCSP and its cache are set up correctly.
After every 401.2 error is a 401.1 error. The sc-win32-status for the 401.1 error is -1073741715. Is that number significant?
The detailed configuration description:
I am using IIS 7.5 on Windows Server 2008 R2. I set up the web server and the web site to require a smartcard to open the web site. To that end I set up iisClientCertificateMappingAuthentication with manyToOneMappings. I set up three new users the same way. Two of three new users cannot log in and get both a 401.2 (sc-status=401 sc-substatus=2 sc-win32-status=5) and a "Can't reach this page" with Error Code: INET_E_DOWNLOAD_FAILURE.
IIS Log Entries
Here are the IIS log entries for a successful user, First IP, and a failed user, Second IP. The 500 error for sc-win32-status=64 (the "specified network name is no longer available") is the same for successful and unsuccessful logins.
time c-ip cs-username s-port cs-method cs-uri-stem sc-status sc-substatus sc-win32-status time-taken1/1/2000 19:32 Second IP 443 GET / 401 2 5 17341/1/2000 19:32 Second IP 443 GET / 500 0 64 161/1/2000 19:31 Second IP 443 GET / 401 1 -1073741715 21/1/2000 19:31 Second IP 443 GET / 401 2 5 20111/1/2000 19:31 Second IP 443 GET / 500 0 64 1181/1/2000 19:30 First IP Server\Username 443 GET /LoginController.asp 200 0 0 171/1/2000 19:30 First IP Server\Username 443 POST /EntryBanner.asp 302 0 0 41/1/2000 19:30 First IP Server\Username 443 GET /EntryBanner.asp 200 0 0 221/1/2000 19:30 First IP Server\Username 443 GET / 200 0 0 41641/1/2000 19:30 First IP 443 GET / 500 0 64 637
In the System Event Log, the 500 error generates two entries with source of Schannel for every login attempt, successful and unsuccessful:
The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the authority that issuing the certificate is not sufficiently trusted. The error code is 0x80090325. The attached data contains the client certificate.
The certificate received from the remote client application was not successfully mapped to a client system account. The error code is 0xc0000192. This is not necessarily a fatal error, as the server application may still find the certificate acceptable.
”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
-Mike Kapnisakis, Warner Bros
With your subscription - you'll gain access to our exclusive IT community of thousands of IT pros. You'll also be able to connect with highly specified Experts to get personalized solutions to your troubleshooting & research questions. It’s like crowd-sourced consulting.
We can't always guarantee that the perfect solution to your specific problem will be waiting for you. If you ask your own question - our Certified Experts will team up with you to help you get the answers you need.
Our certified Experts are CTOs, CISOs, and Technical Architects who answer questions, write articles, and produce videos on Experts Exchange. 99% of them have full time tech jobs - they volunteer their time to help other people in the technology industry learn and succeed.
We can't guarantee quick solutions - Experts Exchange isn't a help desk. We're a community of IT professionals committed to sharing knowledge. Our experts volunteer their time to help other people in the technology industry learn and succeed.