We have a Microsoft Dynamics CRM app on Windows Server 2012.
There is anonymous/Windows auth on server.
When we make iisreset or just restart server there is some chance to make server inaccesable with 401 error.
This behaviour is strange at minimum because on server and app level there is anonymous auth and in other cases it works perfectly.
Solutions that we tryed:
another iisreset
not working
disable then enable Windows Authorization in iis settings
strange but works
In Event Viewer we not found anything interesting.
Is there any approach to identify problem (debug/trace Window Authorization module)?
What this can be?
Related
So I have developed an API with Windows Authentification. When I ran the project with Visual's Studio IIS Express - endpoint's secured with:
[Authorize(AuthenticationSchemes = IISDefaults.AuthenticationScheme)]
In services I have registered:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
get's the current Windows user, which I can access through HttpContextAccessor.
After I have published the app to Windows Server (HTTPS enabled) with IIS 10 running when I am trying to access protected endpoints I just get Login Prompt and it doesn't matter what I enter in it, it goes away only if I cancel.
My Site settings in Windows IIS Server, Windows Auth uses Negotiate Provider:
Application pool settings:
Is there anything I can do to fix this? If this post lacks some other information, please, let me know, I will edit it.
When you enable anonymous authentication and authentication at the same time, iis will use anonymous authentication, so you need to disable anonymous authentication and try again.
I have this situation where the main domain requires Anonymous Authentication while the sub-domain can only accept Windows Authentication for my app to work.
Currently, I can only do one or the other on IIS. Basically, in my service it's expecting WindowsIdentity and unless it's coming through Windows Authentication it'll becomes ClaimsIdentity. I want to ensure that the identity of this request is a Windows and is authenticated.
I've tried enable Anonymous Authentication and Windows Authentication for the main domain and disabled Anonymous Authentication & enabled Windows Authentication for sub-domain.
Folder and site structure:
Folder
inetpub
/myservice
/wwwroot
/mysubdomain
In IIS
Default Web Site
/myservice
/wwwroot
/mysubdomain
I made the request via http://localhost/myservice/mysubdomain. If I publish my service as IIS in Visual Studio 2019, Windows Authentication works but Anonymous Authentication doesn't. If I publish my service as myservice project then Anonymous Authentication works but Windows Authentication doesn't.
I have this sorted out. It's not the ideal solution I wanted but it worked around my problem. I had to change my app to accept only Windows Authentication.
I am encountering the following issue when trying to configure an intranet ASP.NET site in IIS 8.5 for Windows authentication. I have the IIS Windows authentication provider settings set to:
Negotiate
NTLM
This works great for Windows-based browsers - users are logged in seamlessly. Mac-based browsers don't seem to support the Negotiate protocol; when accessing my site you are prompted for your domain credentials. Even when responding with correct credentials, the browser responds to the authentication challenge with "NTLM xxxxxxx...". IIS doesn't like this and always responds with a 401. This sends the browser into an authentication loop where you are prompted for your credentials endlessly. If you click "Cancel" (depending on which browser you are in), you will finally get a 401 response (not very useful).
If I modify the settings and remove the "Negotiate" provider, I am still prompted when accessing the site from a Mac browser, but this time the NTLM challenge succeeds and I can authenticate. The problem with this is I am now getting an authentication prompt from Windows browsers as well.
Is there a way to get around this (do I have Windows authentication misconfigured)? I am fine with having to answer a credential prompt from the Mac but as the vast majority of my users will be accessing from Windows, I would prefer they still get the "invisible" log on experience.
If I'm understanding your question correctly; Safari/Apple doesn't support Windows Authentication. Basic Authentication needs to be enabled within IIS in order for Safari to login.
I am have been fighting this error in IIS 7.5 for sometime now, and no solution I find seems to help. As I understand it, a 401.2 error means that the browser and the site in IIS are using two different types of authentication.
I have two Web Services hosted in IIS 7.5. Web Service A makes a call to Web Service B. This is where the 401.2 error happens. Both Web Services have Windows Authentication Enabled with 401 Challenge. The only enabled provider on each is NTLM. The Web.Config for both services is set up to have
<authentication mode="Windows" />
Here is what the call from Web Service A to WebService B looks like:
WebServiceB.Credentials = new System.Net.NetworkCredential("ValidUser", "ValidPW", "ValidDomain");
var output = WebServiceB.DoSomething(input); //Throws 401 WebException
As far as I can tell, both the Web Services and IIS sites should be using Windows Authentication, and nothing but Windows Authentication, yet I continue to get these 401.2 errors. Why?
I guess it is related to double-hop issue. Pleae try with delegation of creditential to second call.
May be the following link help you. Please have a look at it.
How can I fix the Kerberos double-hop issue?
this turned out to be an issue with the way the user was configured with a third party software. Thank you for all of your responses.
I develop web app, which cooperates with to TFS2012. In my local machine its works fine, but when i deploy on server i get the following exception:
[WebException: The remote server returned an error: (401) Unauthorized.]
System.Net.HttpWebRequest.GetResponse() +6440920
Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.SendRequestAndGetResponse(HttpWebRequest webRequest, WebException& webException) +195
My connect to TFS Code:
_collection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("http://xxx/tfs/TestPrjects/"));
_collection.EnsureAuthenticated();
_store = _collection.GetService<WorkItemStore>();
my web-config:
<system.web>
<customErrors mode="Off"></customErrors>
<authentication mode="Windows"/>
...
<system.web>
in ISS i activate Windows authorization:
Where is my mistake?
The details you are using to access TFS are incorrect.
The reason it works on your local machine is because the webserver is running as you, who has access to TFS. On the IIS server it's running as the app pool user, which won't have access.
Potential Solutions
Run the app pool as a user that has access to TFS (or grant the current user access)
This is ok for read only access, but if you're writing back to items you may want to not go down this route
Enable delegation so the code that connects to TFS is run as the currently authenticated windows user
This is much harder to do and only works in internet explorer out of the box. Firefox users can change a setting and Chrome users need to start chrome with a commandline switch.
wrap a using(WindowsIdentity.GetCurrent().Impersonate()) {} around your code that uses TFS and ensure you are using CredentialCache.DefaultNetworkCredentials to connect to TFS.
Use the TFS Server API
Be naughty and use server instead of the client api. The server API writes directly to the db and doesn't need to impersonate a user. I highly doubt this is a supported path and you won't find much information on it. However it still needs to run as a user with access to the db (like option 1, but supports updates as windows authed users)