401.1 Unauthorized - IIS 6 & Integrated Window Authentication Only
-
Hi All, I have an application running on IIS 6 and in a customised application pool called MyAppPool. MyAppPool is running as a domain user identity. The virtual directory has Integrated Window Authentication enabled only. I've also set the following: - Added domain user to IIS_WPG - Added domain user to Log on as a batch job - Added domain user to Log on as a service Now the problem I'm getting is everytime when I try to access the application I get prompted for my credential. After entering the valid credential 3 times I get the Unauthorized Access error. I've been googling for 2 days and found a possible solution is to add the line: NTAuthenticationProviders="Negotiate,NTLM" to IIS Metabase.xml However, after restarting iis the issue remains. Could someone please help? Thank you
-
Hi All, I have an application running on IIS 6 and in a customised application pool called MyAppPool. MyAppPool is running as a domain user identity. The virtual directory has Integrated Window Authentication enabled only. I've also set the following: - Added domain user to IIS_WPG - Added domain user to Log on as a batch job - Added domain user to Log on as a service Now the problem I'm getting is everytime when I try to access the application I get prompted for my credential. After entering the valid credential 3 times I get the Unauthorized Access error. I've been googling for 2 days and found a possible solution is to add the line: NTAuthenticationProviders="Negotiate,NTLM" to IIS Metabase.xml However, after restarting iis the issue remains. Could someone please help? Thank you
This is what I've found: Cause of problem: Kerberos breaks when a customised application pool is created using a customised identity. For my case I used a domain user as the pool identity. Resolution 1. Avoid Kerberos and use NTLM authentication instead. To do this: cd c:\intetpub\adminscripts cscript adsutil.vbs set w3svc/??/NTAuthenticationProviders "NTLM" NB: where ?? is your website's identity id (you can get this id from the iis manager -> Web Sites -> Identifier column 2. Fix Kerberos by setting up appropriate Service Principal Name (SPN). setspn -A HTTP/servername domain\account setspn -A HTTP/server_fully_qualified_domain_name domain\account Servername and server_fully_qualified_domain_name are retrievable from DNS and are both referring to the server/machine that your service is running on. domain\account is referring to the identity you use for you r customised application pool. At the moment I'm still having trouble setting up the SPN correctly. However, hope my finding will help someone one day. Thanks, Anzy