I am have been fighting this error in IIS 7.5 for sometime now, and no solution I find seems to help. As I understand it, a 401.2 error means that the browser and the site in IIS are using two different types of authentication.
I have two Web Services hosted in IIS 7.5. Web Service A makes a call to Web Service B. This is where the 401.2 error happens. Both Web Services have Windows Authentication Enabled with 401 Challenge. The only enabled provider on each is NTLM. The Web.Config for both services is set up to have
<authentication mode="Windows" />
Here is what the call from Web Service A to WebService B looks like:
WebServiceB.Credentials = new System.Net.NetworkCredential("ValidUser", "ValidPW", "ValidDomain");
var output = WebServiceB.DoSomething(input); //Throws 401 WebException
As far as I can tell, both the Web Services and IIS sites should be using Windows Authentication, and nothing but Windows Authentication, yet I continue to get these 401.2 errors. Why?
I guess it is related to double-hop issue. Pleae try with delegation of creditential to second call.
May be the following link help you. Please have a look at it.
How can I fix the Kerberos double-hop issue?
this turned out to be an issue with the way the user was configured with a third party software. Thank you for all of your responses.
Related
I hosted few applications in IIS (Version:10) with Kerberos authentication. And all web applications are configured under a single web site.
Only windows authentication is enabled.
What I observed is I get 401 followed by 200 for every request.
And the expectation is 401 for the first call, then 200 for all subsequent calls from same client to same api since its already authenticated.
I tried applying authPersistSingleRequest="false" for windows authentication.
Note: This was done after referring to 3 requests for every resource (2 x 401.2 and 1 x 200) in a windows authenticated asp.net mvc app
Then I can see that one api (web application) is working as expected now. And we still have issue with other api(in a different web application).
Can anyone help me to understand if there are any other settings apart from what I mentioned above to make it working as expected.
Make sure you configured the spn account properly with the application pool.
Open IIS Manager and select the Configuration Editor.
In the dropdown menu select system.webServer > security > authentication > windowsAuthentication
set useAppPoolCredentials to True.
In Internet explorer add the site address to the list of trusted websites and specify Automatic logon with a current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.
Refer below link for more detail:
Troubleshoot Kerberos failures in Internet Explorer
We have a Microsoft Dynamics CRM app on Windows Server 2012.
There is anonymous/Windows auth on server.
When we make iisreset or just restart server there is some chance to make server inaccesable with 401 error.
This behaviour is strange at minimum because on server and app level there is anonymous auth and in other cases it works perfectly.
Solutions that we tryed:
another iisreset
not working
disable then enable Windows Authorization in iis settings
strange but works
In Event Viewer we not found anything interesting.
Is there any approach to identify problem (debug/trace Window Authorization module)?
What this can be?
I have a Java Web App which is integrated with Azure AD. Now when I run the app locally, everything works fine.
But When I deploy the WAR file to the Azure App Service, the authentication redirection seems to be going in an infinite loop.
The application is running in loop between login.microsoftonline.com and mysite.azurewebsites.net.
I have read in blog posts that this happens with OWIN cooke in .Net , but not sure if this is case with Java as well.
All the traffic is through HTTPS only, but still the issue exists.
Is there any setting in Azure Portal to overcome this ?
Owin middleware is only available for .NET, so yes, we cannot fault that.
The redirect would be triggering from the portion of your code that evaluates a condition like 401 Unauthorized and constructs an authentication Url and redirects the user to that.
I'd suggest you enable as much diagnostics as possible and look into logs to..
Azure AD is sending the tokens in response as expected and not an error
The code acceptig/parsing these tokens is working correctly
I am in the process of trying to implement Single Sign On for our classic asp parts of our site that run on a separate server. I have already implemented the php SSO on our other server using simpleSAMLphp. I am attempting to use shibboleth right now for the classic asp / IIS side of things. I have made it as far as getting to the login page of our Identity Provider, but once I authenticate I get stuck at /SAML2/POST and a webpage saying that the ip address of my server cannot be found. I have tried implementing fixes I found in forums but still have not made any progress. I am wondering if there is another tool that I could try to implement SSO with classic asp with? I am open to any suggestions at this point.
Shibboleth supports IIS using "native module" package (iis7_shib.dll).
Check this https://wiki.shibboleth.net/confluence/display/SP3/IIS for further information.
I'm getting this error message on only one of the two nodes in my web farm. The code is identical between the two nodes and as best I can tell, IIS is set up identically on both nodes.
The WCF service that they're calling is on a different machine and doesn't have permissions locked down to anything crazy.
Both nodes are using anonymous authentication and forms authentication. Both have the default user for their app pools both have the IUSR account for the anonymous user. What else can I check to get node 2 in line with node 1? As I said, the code is identical across both servers and everything I've looked at in IIS is the same too. I'm sure there is some other setting in IIS on node 2 that I'm not aware of so if you can think of any other places to look, I'd really appreciate it.
Again this is the exception being thrown (on node 2 only)
System.ServiceModel.FaultException: The request for security token
could not be satisified because authentication failed.
TIA
I changed the app pool identity and that seems to have fixed it. No idea why as they were both using the same identity before...