Most Strange IIS Windows Authentication behavior - iis

I have an ASP.NET website running on Windows Server R2 in a corporate network, using Windows Authentication.
The app pool of the website is using a domain account and in Integrated pipeline mode.
The authentication is set Windows Authentication, all other authentication modes are disabled.
However, this does not work. Every time I access the website, it pops up a dialog asking for user name and password. I enter the correctly domain user name and password, but it does not continue--the windows pops up again. After three times, it fails and displays a white page. I tried with many different browsers, bu all of them fail. I asked some colleagues to try and they all got failure, too.
I cannot figure out why this error is happening and tried many ways to fix it with no luck. I think it is very strange. However, finally I found a way to fix this problem, this is the most strange part of the problem: I edit the "Physical path" in "Basic Settings" of the website, I just point it to another healthy website, for instance, %SystemDrive%\inetpub\wwwroot, then I try to browse the website, very good, it runs well and displays the default page (iisstart.htm). It looks like it is not very helpful, but then I change the physical path back to my website; suddenly everything goes well -- the windows authentication works! I do not know why it helps, but I am happy with this result -- it fixes my problem though I do not know what the heck is happening.
The happy time is always short, several days later, the server got some patches and restarted, the website can't work again. And again, I can fix the problem using the trick above.
I do not like this! I do not like doing this stupid trick every time IIS resets or the server restarts.
Is there anyone who has some ideas on why windows authentication fails, and why the aforementioned trick can fix it, and why after an IIS reset it fails again?

First off, THANK YOU for creating this post. I have the exact same issue and could not find anyone else without posting the obvious fixes that were of no avail to me. I had been working on this for almost two weeks
To assist the next poor soul that encounters this issue and post, I hope my extra tidbits help.
Your initial solution did not fix my issue in my case, but it did prove that it was custom error page related. After pasting in your code into web.config my problem got worse and I was not able to debug or launch the page (had 500 internal server error related to web.config)
BUT finally what I did was go into the IIS Console and remove all of my custom error pages. It still did not work as had hoped. BUT, I also found entries for ASP.NET ".NET Custom Errors" in the top half of the site console (and the "custom errors" tag in web.config). I had old entries in there and removed them via console, and YESSSS, my site came back to normal with Windows Authentication.
I have since recreated the IIS Custom Errors and I am still up and running as designed.
SO to anyone else that may have this issue, check both ASP.NET Custom Errors AND IIS Custom Errors settings. Maybe there is a conflict, I dont know, but in my case having only the IIS pages set fixed me up (for now :-) )

I just found it seems caused by custome 401 error pages under "Error Pages". I set it to execute an URL when the status code is 401 in my web.config, it looks like:
<httpErrors errorMode="Custom">
<remove statusCode="401" subStatusCode="-1"/>
<error statusCode="401" path="/Error/AccessDenied" responseMode="ExecuteURL"/>
</httpErrors>
Then every time I reset IIS and try to access this website, the problem appears. If I delete it in Web.Config or delete from IIS console, then the problem disappears, what is more funny is another experiment: after I deleted this settings and have been successful opening the website, I added this setting back. Everything works very well. Every domain user can access this website, those that failed passing authorization get the customer error page.
So my solution now is I removed this setting in my Web.Config, every time I reset IIS or restart the server, the server admin need to hit the website first, and then add this customer error page in IIS console.
I feel this is a bug of II7.5 on Windows Server 2008 R2.

I was also struggling with this same issue all my day. I am using windows authentication and Custom error setting in web.config for 401 errors.
After I reset the IIS, the website stop accepting domain users and windows authentication pop up reappear again and again.
I added remove tag in the web.config file with Sub status code.
<httpErrors>
<remove statusCode="401" subStatusCode="-1" />
<remove statusCode="401" subStatusCode="1" />
<error statusCode="401" subStatusCode="-1" path="/Custom401.aspx" responseMode="ExecuteURL" />
<error statusCode="401" subStatusCode="1" path="/Custom401_1.aspx" responseMode="ExecuteURL" />
</httpErrors>
Previously remove tag was only present for substatus code -1 but missing for sub status code "1" . After i added it, everything started woking properly.
In the above post, substatus code is missing for error tag, that could be the cause of the problem. There should be remove tag for all 401 errors there.

I just spent a couple of hours digging up a solution to this problem.
Why IE fails yet the other browsers succeed: IE tries to use Kerberos authentication and the other browsers don't try. The others use NTLM.
Solution: In the situation described in the question, a domain account was being used in the App Pool. Simple solution: switch to using the "Network Service" account. More complex solution: You have to register a service principal name (SPN). Read this article (ignore the fact that it is talking about IIS 6 because it also works fine on IIS 7 and 7.5) - You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site.
I hope this helps. It gave me a headache until I stumbled upon that article. (Thanks to Paul Lynch who posted the link Windows Authentication Failing in IE8 but not Firefox)

I had this same problem on my Windows 2008 R2 server. I did not have custom 401 error pages. I did use aliased server names (via DNS CNAME records and host header entries on the IIS bindings). I registered the SPNs for Kerberos as suggested, but that did not solve the problem. I resolved it by disabling "Kernel Mode Authentication" (click on the server in the IIS tree -> double-click on Authentication under the IIS group -> click on Windows Authentication -> click on Advanced Settings on the Actions pane -> Uncheck the checkbox -> click OK -> run iisreset). The information on that dialog box recommends against disabling Kernel Mode Authentication when using non-standard service accounts for the application pool identity, but that didn't apply to us since we're using the standard ApplicationPoolIdentity identity.

I had the same issue.. Turnes out I should not have messed with my hostfile.. I changed my hostfile and pointed some fancy address to my machine like so:
www.givemeyourcredentials.com 127.0.0.1
I added a binding to the site "www.givemeyourcredentials.com". I typed in the addres in my addressbar and the site prompted my credentials as expected.. Typed in my credentials and got prompted for my credentials again.. And again and again and again..
Turns out: Bind your website to http://localhost when using windows authentication in an IIS site. That did the trick for me.
Hope this helps somebody...

Add "NT Service\trustedInstaller" to physical folder of the site. Location for this user is local machine name.

The NTLM protocol that is used for Integrated Windows authentication requires a two-step process to authenticate clients. The behavior that is mentioned in the "Symptoms" section occurs when the following conditions are true:
The application pool recycles after the first step of the Integrated Windows authentication process.
However, the application pool recycles before the second step of the Integrated Windows authentication process.
To work around this behavior and to reduce the frequency of these error messages, configure the application pool to recycle less frequently. To configure application pool recycling, follow these steps:
Click Start, click Run, type inetmgr, and then click OK.
Expand the name of the computer on which you want to configure application pool recycling, and then expand Application Pools.
Right-click the application pool that you want to configure, and then click Properties.
On the Recycle tab, configure one of the metrics so that IIS recycles less frequently.
Note IIS 6 application pools support several metrics. These metrics include the time elapsed, the number of requests, and the specified time to recycle an application pool. If an application pool has a metric that causes the application pool to recycle frequently, you will experience this issue more frequently.
Click OK.
[ Copied from https://support.microsoft.com/en-us/kb/902160 for posterity ]

Related

Problems regarding White Screen Of Death (WSOD) at my site

I have a problem regarding White Screen Of Death (WSOD) at my site.
I will try to explain what I have tried until now.
I know it is not a triviel error to debug, but maybe some of you have tried something similar.
Here is the setup: One Windows Server 2019 v1809 with one IIS: 10.0.17763.1.
Multiple websites with associated application pools.
It's a MVC solution, and we are using .net 4.7.2.
What I have tried:
Recycled application pools every night
Restarted the server every night
Issued a IISReset every night
Deleted temporary files in C:\Windows\Microsoft.NET\
Looked at the IIS logs
Looked at the application log, our own log
Looked at the Windows log
Searched the Internet for similar problems
Made sure there always were some traffic at the website
Made sure no errors were shown when pressing F12 in the browser, the site always returs code 200
The WSOD comes at varies times, and not all the sites are affected at the same time.
A manuel recycle of the website always helps.
My question is, have any of you encounted similar problems?
And how did you solve it?
If you need more information please ask, and I will try to provide it.
/Regards Søren
This kind of problem is very unusual in IIS, because there is almost no record and useful information in the log file.
You can try to use this plan to repair IIS.
Unregister all the versions of ASP.NET with command "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis –ua". and the framework 64 also versions. 3.0 and 3.5... etc
Delete ASPNET account from "Local Users and Group – Users".
reregister ASP.NET with IIS using "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis –i". and framework64... net 3, 3.5 etc
Give permissions to the ASPNET account using "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis –ga machinename\ASPNET". for framework 32 and 64 and versions.
Reset IIS .

NTLM on IIS 8.5 on Server 2012, second web site failing

Maybe you'll be able to help me out.
My situation is this:
We are migrating to from Win2003 to Win2012. We've got multiple web sites configured on the 2003 box and we can browse to each of the different names no problem at all, using Windows Integrated.
Well, we just fired up a Windows 2012 and started migrating to it but running into an ntlm 401 issue (log says specifically 401.2.5).
Changing the names to protect the innocent here:
Server Name: Server
going to http://server/apps/asmx/servivce.asmx works fine.
We have a second IP assigned to a new the same box, on port 80, but configured so we can go to http://conapps/apps/asmx/service.asmx. That should work, and return a simple wsdl, but it doesn't.
if we go to http://conapps/apps/anonymous/asmx/service.asmx, it works fine.
I've gone into the authentication tab, and have windows Integrated (and NTLM bubbled up to the top) but I keep getting the 401 errors. Ironcially, if I set anonymous on, it works as expected.
As I said, if I take the default web site, and configure it to point to the same physical files on the disk, it works fine. It's only when I try to go to the secondary name do I have problems.
So, anybody have any ideas what I might be missing?

Keyset does not exist / Identity invalid

Note: I've found several questions similar on here, but the one's that were resolved did not work for me. So I thought I'd open a new question.
I rebooted our server 2012 box, which hosts our new .net applications. After doing so, I started receiving a 503 error. Upon investigation, it seemed like an identity problem.
Before going much further, I should state that this account has worked for several months now. I've rebooted before, and everything started fine.
So I'm getting the (quite common) 5059, 5057, and 5021 errors in the log. They boil down to this:
The identity of application pool SVFileUpload is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
I thought I would just ensure the password and account were correct, so I go to the application pool, select identity-> custom and ensure it's set up right. I get an error:
There was an error while performing this operation. Details: Keyset does not exist (Exception from HRESULT: 0x80090016)
This was strange to me, so I tried setting the app pool to a built in account, and it worked fine. I get this error anytime I try to set to a custom account. Also, no app pools that are using custom accounts will run.
I googled a bit, unsure which error was the one I needed to track. I have tried:
registering the account on the command line via the aspnet_ tool
Making sure the user was in the IIS_IUSRS group
changing the permissions on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys file(s)
adding a completely new user and trying to set an app pool to that users account
There was a couple other random things I tried from googling but I don't remember.
This error doesn't make sense to me, and it seems random. I need help figuring out 1) why I can't set an app pool to a custom account and 2) why the identity isn't working for my applications anymore
-Edit
I recently removed and re-added the user account I've been working with. I think that solves that problem. The problem remaining is I can't update the application pool because of the "keyset does not exist" error.
I found a couple of links that led me to a solution.
In c:\windows\system32\inetsrv\config\applicationHost.config I removed all the configProtectedData entries.
Then I removed everything in %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys
I ran iissetup.exe /install SharedLibraries from the inetsrv directory, which resulted in a "Failed = 0x80070005"
I then was able to set up my application pools as if nothing happened.
See also https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Keyset-does-not-exist-exception-from-HRESULT-0x8009000D-or-or/ba-p/342955 for a more detailed explanation
I ran the iisreset command and my problem was sovled
I had the same error-message because my user was not member of the "Local Administrators" group.
I was able to connect to the server because I was member of the "Remote Desktop Users" group.
I was able to open IIS Management and to change settings, but when I clicked on the "OK" or "Save" button - I got the "Keyset does not exist" - error message.
So my advice - check if you are an administrator.
I tried to change the Identity of Application Pool on a remote server and it failed with the above error.
I RDP into the remote machine and then tried to update the Identity using local IIS Manager and it worked.
For anyone on Windows server 2008 stumbling into this error:
this may occur when you are managing the IIS instance from another server using the remote management feature ('connect to another computer').
I resolved by managing the IIS instance from the server itself.
https://support.microsoft.com/en-hk/help/977754/-keyset-does-not-exist-error-message-when-you-try-to-change-the-identi
Since I am working on a fresh server I was able to uninstall the IIS Windows Feature and then re-add it.
I was able to change the App Pool Identity after that with no issues.
delete the rsa found here C:\Users\usernamn\AppData\Roaming\Microsoft\Crypto\RSA
MAKE A BACKUP JUST TO BE SURE WORKED FOR ME

IIS ApplicationPoolIdentity 503 error

I've recently ported to a different hosting company (VDS), and on the new server, installed IIS 7.5 Express, latest versions of PHP and MySQL.
I then copied the files from the old server to new server (NOTHING beyond the content of the folders of my websites, so no config files or anything except the web.configs in the sites themselves), set-up websites. I've tried to visit a website, and I got a 503 Service Unavailable message, tried both remotely and locally at the server, no change.
Tried on every site, even on Default Web Site, and no change: still 503.
I've checked the permissions to the folders of the websites (and all the children), and both my account, Network Service, Administrators have effectively full control of all the contents.
All the apps run in DefaultAppPool, which runs under ApplicationPoolIdentity. Tried creating a new app pool, moving sites there, no luck, tried setting "Load User Profile" to False in pool settings (read it here HTTP Error 503 on IIS 7.5 after SP Install), no change.
The event viewer in an extremely detailed way says:
"A process serving application pool 'DefaultAppPool' terminated unexpectedly. The process id was '2356'. The process exit code was '0xfffffffe'."
and nothing else. Five times of this error, and the pool is shut down due to rapid protection. I restart the pool, try again, nothing changes. No matter I'm trying to get an .aspx, .php, or static content. Here is the most weird part: when I set the app pool to run under LocalSystem, it works. No problem. But everything else fails.
I've checked the website folders about ten times, changed, erased, re-added rights etc tried everything but no change. It's as if there is another file that I'm forgetting to check that the pool's user is unable to access. But the event viewer does not help me. This started with the new server and I tried after installing everything, so I can't tell after what this started happening. I obviously won't be running under LocalSystem. Even my own user, Administrator, doesn't work.
The only identity that works is LocalSystem. My user, LocalService, NetworkService, ApplicationPoolIdentity all fail the same way. I'm going crazy, I'm 99% sure this is a user-rights issue. But all the website files are accessible, and I haven't changed anything in the system32 inetconfig or anywhere.
Ok, found my own answer again.
The process w3wp.exe runs under the DefaultAppPool user, not NETWORK SERVICE. I don't know why it doesn't run under NETWORK SERVICE, but after some research it turned out that the process needed access to C:\Windows\System32\inetsrv\config\schema and giving NETWORK SERVICE access didn't change anything. I've by coincidence found somewhere about the DefaultAppPool user, gave read permissions, and by starting the pool, all my websites started working perfectly. Quite weird, I always thought that the IIS processes ran under NETWORK SERVICE by default, and I'm sure that I haven't changed any setting.
Try running below commands with some changes
appcmd set apppool /apppool.name: <YourAppPoolHavingIssuesHere> /managedRuntieVersion:v<.net Framework version here>

SharePoint 2010 HttpModule problem

I'm trying to write an HttpModule to run on our SharePoint farm - essentially it will check whether the user is authenticated and if they are it will validate some info against another database and potentially redirect the user to sign a variety of usage agreements.
Whenever I enable the module in the web.config I'm finding that SharePoint has issues rendering the page - it's almost like the CSS is not getting loaded as the page is devoid of any styling.
As a test I've even tried an empty module - i.e. an empty init block so it's not even hooking up any code to any events and the same issue arises. At this point it's an empty class that just implements IHttpModule so it's not even my dodgy coding causing the issue!
The module is in a class library that I've dropped in to the bin folder of the application it needs to run against. In the web.config of the app I've simply added an entry as below:
<modules runAllManagedModulesForAllRequests="true">
... (default stuff ommitted)
<add name="SharePointAUP" type="SPModules.SharePointAUP" />
</modules>
I must be missing something really obvious here as I've done exactly the same as every sample I've found and yet I'm getting this strange behaviour. Is there something extra I need to do to get SharePoint to play nice with a custom module?
UPDATE:
In case it helps - this is SP 2010 beta running on Windows 2008 R2.
UPDATE:
The set-up I'm running against is a farm - 2 front end servers with NLB & 2 app servers with services split across them.
After listening to a nagging feeling this morning I've tested my handler on another installation we have which is a standalone set-up... and everything worked perfectly. The issue only exists when deploying to a farm.
make sure to include a precondition attribute
I came back to this after reinstalling the farm with the RTM - everything worked fine. I've written it off as beta issue (along with many others that I had with SharePoint if you've seen my other questions!).

Resources