Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTP 401.2 Unauthorized error with Windows authentication from remote machine

My website has Windows Authentication enabled with Negotiate provider listed first as I want to use Kerberos for delegating. It works fine when I run the website from a browser on the web server itself. When I use IE from another machine in the domain, I get the login box. After 3 tries I get a HTTP 401.2 error: Unauthorized.

I've made sure the domain account used by the Application Pool has Read and Execute rights to the website folder, and so does the domain account I'm logging in under when hitting the website (and I've also thrown in 'Authenticated Users' for good measure).

Interestingly if I try to access the site using the web server's IP instead of the name, it loads fine.

Anyone have thoughts?

like image 244
KripsterAtWork Avatar asked Jan 12 '23 13:01

KripsterAtWork


2 Answers

One year after my first encountering this problem I've solved it.

Got the tip from http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx

Need to set useAppPoolCredentials="true" on the windowsAuthentication element in applicationHost.config (can set via IIS Manager)

    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
                    <providers>
                        <clear />
                        <add value="Negotiate" />
                    </providers>
                    <extendedProtection tokenChecking="None" />
                </windowsAuthentication>
            </authentication>
        </security>
    </system.webServer>
like image 160
KripsterAtWork Avatar answered Jan 21 '23 19:01

KripsterAtWork


The reason you're getting a 401.2 when using a DNS name is most likely due to the fact register the name you're using as a service principle name (SPN) in AD.

Here's a couple of links that should help you out:

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5 http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

Register a Service Principal Name for Kerberos Connections: http://technet.microsoft.com/en-us/library/ms191153.aspx

like image 30
Tom Hall Avatar answered Jan 21 '23 20:01

Tom Hall