Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Most Strange IIS Windows Authentication behavior

I have an ASP.NET website running on Windows Server R2 in a corporate network, using Windows Authentication.

  • The app pool of the website is using a domain account and in Integrated pipeline mode.
  • The authentication is set Windows Authentication, all other authentication modes are disabled.

However, this does not work. Every time I access the website, it pops up a dialog asking for user name and password. I enter the correctly domain user name and password, but it does not continue--the windows pops up again. After three times, it fails and displays a white page. I tried with many different browsers, bu all of them fail. I asked some colleagues to try and they all got failure, too.

I cannot figure out why this error is happening and tried many ways to fix it with no luck. I think it is very strange. However, finally I found a way to fix this problem, this is the most strange part of the problem: I edit the "Physical path" in "Basic Settings" of the website, I just point it to another healthy website, for instance, %SystemDrive%\inetpub\wwwroot, then I try to browse the website, very good, it runs well and displays the default page (iisstart.htm). It looks like it is not very helpful, but then I change the physical path back to my website; suddenly everything goes well -- the windows authentication works! I do not know why it helps, but I am happy with this result -- it fixes my problem though I do not know what the heck is happening.

The happy time is always short, several days later, the server got some patches and restarted, the website can't work again. And again, I can fix the problem using the trick above.

I do not like this! I do not like doing this stupid trick every time IIS resets or the server restarts.

Is there anyone who has some ideas on why windows authentication fails, and why the aforementioned trick can fix it, and why after an IIS reset it fails again?

like image 984
user378895 Avatar asked Jun 29 '10 11:06

user378895


3 Answers

First off, THANK YOU for creating this post. I have the exact same issue and could not find anyone else without posting the obvious fixes that were of no avail to me. I had been working on this for almost two weeks

To assist the next poor soul that encounters this issue and post, I hope my extra tidbits help.

Your initial solution did not fix my issue in my case, but it did prove that it was custom error page related. After pasting in your code into web.config my problem got worse and I was not able to debug or launch the page (had 500 internal server error related to web.config)

BUT finally what I did was go into the IIS Console and remove all of my custom error pages. It still did not work as had hoped. BUT, I also found entries for ASP.NET ".NET Custom Errors" in the top half of the site console (and the "custom errors" tag in web.config). I had old entries in there and removed them via console, and YESSSS, my site came back to normal with Windows Authentication.

I have since recreated the IIS Custom Errors and I am still up and running as designed.

SO to anyone else that may have this issue, check both ASP.NET Custom Errors AND IIS Custom Errors settings. Maybe there is a conflict, I dont know, but in my case having only the IIS pages set fixed me up (for now :-) )

like image 195
Steve Fink Avatar answered Oct 13 '22 21:10

Steve Fink


I just found it seems caused by custome 401 error pages under "Error Pages". I set it to execute an URL when the status code is 401 in my web.config, it looks like:

 <httpErrors errorMode="Custom">  <remove statusCode="401" subStatusCode="-1"/>     <error statusCode="401" path="/Error/AccessDenied" responseMode="ExecuteURL"/>  </httpErrors> 

Then every time I reset IIS and try to access this website, the problem appears. If I delete it in Web.Config or delete from IIS console, then the problem disappears, what is more funny is another experiment: after I deleted this settings and have been successful opening the website, I added this setting back. Everything works very well. Every domain user can access this website, those that failed passing authorization get the customer error page.

So my solution now is I removed this setting in my Web.Config, every time I reset IIS or restart the server, the server admin need to hit the website first, and then add this customer error page in IIS console.

I feel this is a bug of II7.5 on Windows Server 2008 R2.

like image 44
user378895 Avatar answered Oct 13 '22 21:10

user378895


I was also struggling with this same issue all my day. I am using windows authentication and Custom error setting in web.config for 401 errors. After I reset the IIS, the website stop accepting domain users and windows authentication pop up reappear again and again.

I added remove tag in the web.config file with Sub status code.

<httpErrors>
          <remove statusCode="401" subStatusCode="-1" />
          <remove statusCode="401" subStatusCode="1" />
            <error statusCode="401" subStatusCode="-1" path="/Custom401.aspx" responseMode="ExecuteURL" />          
            <error statusCode="401" subStatusCode="1" path="/Custom401_1.aspx" responseMode="ExecuteURL" />
        </httpErrors>

Previously remove tag was only present for substatus code -1 but missing for sub status code "1" . After i added it, everything started woking properly.

In the above post, substatus code is missing for error tag, that could be the cause of the problem. There should be remove tag for all 401 errors there.

like image 22
Gaurav Kumar Avatar answered Oct 13 '22 21:10

Gaurav Kumar