IIS6, Windows Integrated Authentication, Denied access

IIS6, Windows Integrated Authentication, Denied access

am 12.05.2006 18:56:02 von DrJazz

I have deployed an ASP.NET 2 web app to a Windows 2003 Server with SP1 (this
issue also occurred on a Win 2003 R2 server). The site is configured to use
Windows Integrated Authentication (it is a local Intranet app) and the web
app works with this, mostly.

Frequently, however, the user will receive an authentication dialog for a
web resource. This doesn't happen always, but frequently it does. Sometimes
the user can access the resource without any problems, other times he'll be
prompted for a username and password. Entering his domain credentials does
not allow access to the resource, however, when he is prompted. If he is not
prompted, he can access the resource fine.

I don't know what could be causing this behavior. Turning on full auditing
for the files in the web site does not reveal any object access failure
audits. However, in the web traffic log, I will see entries such as this:

2006-05-12 15:27:11 W3SVC1 142.101.204.107 GET
/Survey/images/icon_arrow_down.gif - 80 - 10.166.4.193
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+CGI- ISDC;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 1 2148074241

What I find curious about this log entry is the following:
- There is no LOGON_USER identified. Other successful log entries show
the user name.
- The server code for this entry is 401.1
- The Win32 code is 2148074241

I suspect that this has something to do with network communications with the
domain controller, but this is just a guess. I really have no idea what could
be causing this intermittent behavior.

Does anyone know where else I can look in attempting to diagnose this problem?


Thanks,
DrJazz

RE: IIS6, Windows Integrated Authentication, Denied access

am 12.05.2006 19:55:02 von PaulWalsh

When using NTLM on Windows 2003 you will see three entries in the IIS logs
for each request made by a user.

Line 1 - 401.1
Line 2 - 401.2
Line 3 - 200 (this of course assumes the page worked!)

It does suggest that there may be authentication issues between your web
server and DC.

Have you checked your DC to make sure it is not being overly stressed. You
could find that it is unable to deal with the numberof requests it is being
sent. Monitoring Performance counters should help with this.

Also try to analyse your log files for patterns when the authentication
failures occur. (Using Log Parser from the IIS Resource Kit would really help
with this). Again you may see some pattern, i.e. requests ont he half hour
are failing, and you may be able to tie this back to a scheduled task etc..

Paul Walsh

"DrJazz" wrote:

> I have deployed an ASP.NET 2 web app to a Windows 2003 Server with SP1 (this
> issue also occurred on a Win 2003 R2 server). The site is configured to use
> Windows Integrated Authentication (it is a local Intranet app) and the web
> app works with this, mostly.
>
> Frequently, however, the user will receive an authentication dialog for a
> web resource. This doesn't happen always, but frequently it does. Sometimes
> the user can access the resource without any problems, other times he'll be
> prompted for a username and password. Entering his domain credentials does
> not allow access to the resource, however, when he is prompted. If he is not
> prompted, he can access the resource fine.
>
> I don't know what could be causing this behavior. Turning on full auditing
> for the files in the web site does not reveal any object access failure
> audits. However, in the web traffic log, I will see entries such as this:
>
> 2006-05-12 15:27:11 W3SVC1 142.101.204.107 GET
> /Survey/images/icon_arrow_down.gif - 80 - 10.166.4.193
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+CGI- ISDC;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 401 1 2148074241
>
> What I find curious about this log entry is the following:
> - There is no LOGON_USER identified. Other successful log entries show
> the user name.
> - The server code for this entry is 401.1
> - The Win32 code is 2148074241
>
> I suspect that this has something to do with network communications with the
> domain controller, but this is just a guess. I really have no idea what could
> be causing this intermittent behavior.
>
> Does anyone know where else I can look in attempting to diagnose this problem?
>
>
> Thanks,
> DrJazz
>
>

RE: IIS6, Windows Integrated Authentication, Denied access

am 12.05.2006 20:19:02 von DrJazz

Paul,

Thank you for your quick response. Actually, for each successful URI
request, I see 4 entries in the web log:

401 2 2148074254
401 1 0
401 1 0
200 0 0

As far as load on the DC goes, my network admin informs me that our DCs are
actually way overpowered for our needs - we have 2 dual-processor machines
acting only as DCs for under 250 people. There is nothing he can determine
from examining the DCs (logs, etc.) that would shed light on this issue.

Curiously, however, the resource that gets denied is often an image (it is
much less frequently an ASPX page request), and is often the SAME image on a
given page. For example, load the page a few times, everything works fine.
Then, out of the blue, reload the page and one of the images won't load
(prompting for a login). It can't be stress on the web server itself since
I'm the only one using it.

There does not appear to be any pattern to the resource denial, other than
if I bang on the web site for 2 to 3 minutes, I'm bound to have at least one
of these episodes. I was hoping the Win32 error code might provide a clue,
but Google/MSN/Yahoo have precious little to offer on this code.

Paul, once again thanks for you help.


Cheers,
DrJazz

RE: IIS6, Windows Integrated Authentication, Denied access

am 12.05.2006 21:29:02 von PaulWalsh

The only other thing I can suggest is running FileMon (www.sysinternals.com)
to see if that gives you any more detailed analysis. That extra 401.1 you see
would probably indicate that the client is failing to correctly send its
credentials to the web server when initally challenged.

The other option is to run a Netmon or Etherreal trace. This would prove
conclusivly if the client is correctly responding to the request for
credentials.

Just thought of one more option :-) Caching... Have you tried clearing down
any client or server caches, and any front end network cache you may have..

Paul Walsh

"DrJazz" wrote:

> Paul,
>
> Thank you for your quick response. Actually, for each successful URI
> request, I see 4 entries in the web log:
>
> 401 2 2148074254
> 401 1 0
> 401 1 0
> 200 0 0
>
> As far as load on the DC goes, my network admin informs me that our DCs are
> actually way overpowered for our needs - we have 2 dual-processor machines
> acting only as DCs for under 250 people. There is nothing he can determine
> from examining the DCs (logs, etc.) that would shed light on this issue.
>
> Curiously, however, the resource that gets denied is often an image (it is
> much less frequently an ASPX page request), and is often the SAME image on a
> given page. For example, load the page a few times, everything works fine.
> Then, out of the blue, reload the page and one of the images won't load
> (prompting for a login). It can't be stress on the web server itself since
> I'm the only one using it.
>
> There does not appear to be any pattern to the resource denial, other than
> if I bang on the web site for 2 to 3 minutes, I'm bound to have at least one
> of these episodes. I was hoping the Win32 error code might provide a clue,
> but Google/MSN/Yahoo have precious little to offer on this code.
>
> Paul, once again thanks for you help.
>
>
> Cheers,
> DrJazz
>