Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

HTTP 401.2 Unauthorized error with Windows authentication from remote machine

Tags:

http

authentication

windows

iis

kerberos

My website has Windows Authentication enabled with Negotiate provider listed first as I want to use Kerberos for delegating. It works fine when I run the website from a browser on the web server itself. When I use IE from another machine in the domain, I get the login box. After 3 tries I get a HTTP 401.2 error: Unauthorized.

I've made sure the domain account used by the Application Pool has Read and Execute rights to the website folder, and so does the domain account I'm logging in under when hitting the website (and I've also thrown in 'Authenticated Users' for good measure).

Interestingly if I try to access the site using the web server's IP instead of the name, it loads fine.

Anyone have thoughts?

like image 244
KripsterAtWork Avatar asked Jan 12 '23 13:01

KripsterAtWork

2 Answers

One year after my first encountering this problem I've solved it.

Got the tip from http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx

Need to set useAppPoolCredentials="true" on the windowsAuthentication element in applicationHost.config (can set via IIS Manager)

    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
                    <providers>
                        <clear />
                        <add value="Negotiate" />
                    </providers>
                    <extendedProtection tokenChecking="None" />
                </windowsAuthentication>
            </authentication>
        </security>
    </system.webServer>
like image 160
KripsterAtWork Avatar answered Jan 21 '23 19:01

KripsterAtWork

The reason you're getting a 401.2 when using a DNS name is most likely due to the fact register the name you're using as a service principle name (SPN) in AD.

Here's a couple of links that should help you out:

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5 http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

Register a Service Principal Name for Kerberos Connections: http://technet.microsoft.com/en-us/library/ms191153.aspx

like image 30
Tom Hall Avatar answered Jan 21 '23 20:01

Tom Hall
Sign in to Comment

Related questions

How to write python code to access input and output from a program written in C?
Windows 7 Profile Default Image Files Location
How to add a column(check Box) in DataGridView
Why is FileStream and CopyFile so much slower than Windows Explorer?
Is it possible to call WinMain from regular main?
calling npm from webstorm commad line tool
How to align output to center of screen - C++?
How to remap keyboard key in c++ with LowLevelKeyboardProc?
C# Cancel Windows Shutdown
Assigning folder permissions to "ALL APPLICATION PACKAGES" group
Java application will run from CMD and Eclipse but not double click
How to figure out the 'Public DNS Name' from within an Amazon EC2 instance?
Qt 5.1.0 on Windows using minGW 4.8 taking a really long time to debug
Open an Event object created by my service from my application
Build Lua 5.2.2 in Windows
FORFILES date -after- (date calc in cmd file)
How to output errors to a log file in powershell when copying files
Setting mongodb editor path in mongorc on windows
Visual Basic Capture output of cmd
Are AUMID's (Application User Model ID's) unique?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!