security error in IIS logs (401.2 error)

Hi:

I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows
Server 2003 w/ SP-1. When I navigate to my site (locally or from another
network computer) in Internet Explorer I'm being prompting for a network
username/password. I believe have configured the server properly in ISS,
have the correct NTFS file permissions, etc.

I would really like to know what sc-win32-status 2148074254 refers to (see
my IIS log below). Anyone have any ideas? I know that the 401.2 error means
"denied by server configuration" and often means a protocol issue between the
browser and IIS. I'm not trying to do anything special here, just want to
use plain vanilla Windows Authentication. I have anonymous access turned off
for my site in IIS (my application requires this) but when I allow anonymous
access the error goes away.

I have attached my [truncated] IIS log below. Please let me know if you
require any additional details about my environment. Any help that anyone
can offer would be greatly apprecaited. I'm running out of ideas.

Thanks in advance,

Alexander

---SOF---

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2006-06-23 17:04:28
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port
cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET /eProfitStartup.aspx - 80
- 10.34.43.11
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET +CLR+1.1.4322)
401 2 2148074254

---EOF---

Re: security error in IIS logs (401.2 error)

After this request, do you see a succesful 200 OK request being logged? The
request line below looks like part of a NTLM authentication handshake.

Cheers
Ken

"Alexander Ferrugia" wrote in
message news:9B020444-0083-4729-8FD0-EC88C6E53D45@microsoft.com...
> Hi:
>
> I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows
> Server 2003 w/ SP-1. When I navigate to my site (locally or from another
> network computer) in Internet Explorer I'm being prompting for a network
> username/password. I believe have configured the server properly in ISS,
> have the correct NTFS file permissions, etc.
>
> I would really like to know what sc-win32-status 2148074254 refers to (see
> my IIS log below). Anyone have any ideas? I know that the 401.2 error
> means
> "denied by server configuration" and often means a protocol issue between
> the
> browser and IIS. I'm not trying to do anything special here, just want to
> use plain vanilla Windows Authentication. I have anonymous access turned
> off
> for my site in IIS (my application requires this) but when I allow
> anonymous
> access the error goes away.
>
> I have attached my [truncated] IIS log below. Please let me know if you
> require any additional details about my environment. Any help that anyone
> can offer would be greatly apprecaited. I'm running out of ideas.
>
> Thanks in advance,
>
> Alexander
>
> ---SOF---
>
> #Software: Microsoft Internet Information Services 6.0
> #Version: 1.0
> #Date: 2006-06-23 17:04:28
> #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query
> s-port
> cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
> 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET /eProfitStartup.aspx -
> 80
> - 10.34.43.11
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET +CLR+1.1.4322)
> 401 2 2148074254
>
> ---EOF---
>

Re: security error in IIS logs (401.2 error)

Thanks for the response, Ken:

No, I do not get a 200 OK later in the log (posted in my original message).
The first line that you see in the log is repeated over and over with the
same error each time anyone attempts to access a page in my ASP.NET
application. The only way I can get a 200 OK is if I manually enter in my
username/password. It will keep prompting you over and over as you travel to
new pages.

I initially thought it was being blocked by a proxy on our network. The
network guys don't think I should be going through the proxy. I read the
following today (see URL) and don't know if it could be describing the
culprit.... "Integrated Windows authentication is disabled by default if you
install Windows Server 2003 Service Pack 1 (SP1) as part of a slipstream
installation of a Windows Server 2003 operating system". I did find out that
our build was a "slipstreamed" version of Win2K3 with SP-1, but I don't want
to wipe the install, reinstall Win2K3, then install SP-1 over it, only to
find out that this isn't going to fix the problem.

http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr =true

Cheers,

Alexander


"Ken Schaefer" wrote:

> After this request, do you see a succesful 200 OK request being logged? The
> request line below looks like part of a NTLM authentication handshake.
>
> Cheers
> Ken
>
> "Alexander Ferrugia" wrote in
> message news:9B020444-0083-4729-8FD0-EC88C6E53D45@microsoft.com...
> > Hi:
> >
> > I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows
> > Server 2003 w/ SP-1. When I navigate to my site (locally or from another
> > network computer) in Internet Explorer I'm being prompting for a network
> > username/password. I believe have configured the server properly in ISS,
> > have the correct NTFS file permissions, etc.
> >
> > I would really like to know what sc-win32-status 2148074254 refers to (see
> > my IIS log below). Anyone have any ideas? I know that the 401.2 error
> > means
> > "denied by server configuration" and often means a protocol issue between
> > the
> > browser and IIS. I'm not trying to do anything special here, just want to
> > use plain vanilla Windows Authentication. I have anonymous access turned
> > off
> > for my site in IIS (my application requires this) but when I allow
> > anonymous
> > access the error goes away.
> >
> > I have attached my [truncated] IIS log below. Please let me know if you
> > require any additional details about my environment. Any help that anyone
> > can offer would be greatly apprecaited. I'm running out of ideas.
> >
> > Thanks in advance,
> >
> > Alexander
> >
> > ---SOF---
> >
> > #Software: Microsoft Internet Information Services 6.0
> > #Version: 1.0
> > #Date: 2006-06-23 17:04:28
> > #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query
> > s-port
> > cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
> > 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET /eProfitStartup.aspx -
> > 80
> > - 10.34.43.11
> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET +CLR+1.1.4322)
> > 401 2 2148074254
> >
> > ---EOF---
> >
>
>
>

Re: security error in IIS logs (401.2 error)

Let me explain what I think is misunderstood from the URL. It is indicating
that we made anonymous-only websites the default... and NOT that Integrated
Authentication is "broken" by default such that you have to do anything
other than tick the check box to enable/use it. All we did was change the
default of the checkbox from on to off, and you can tick it back on just as
easily.

Is KeepAlives allowed on your server.
What are the Application Pool settings configured for that URL.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Alexander Ferrugia" wrote in
message news:98A1BB53-1656-4F46-9DE4-89472DEE7906@microsoft.com...
> Thanks for the response, Ken:
>
> No, I do not get a 200 OK later in the log (posted in my original
> message).
> The first line that you see in the log is repeated over and over with the
> same error each time anyone attempts to access a page in my ASP.NET
> application. The only way I can get a 200 OK is if I manually enter in my
> username/password. It will keep prompting you over and over as you travel
> to
> new pages.
>
> I initially thought it was being blocked by a proxy on our network. The
> network guys don't think I should be going through the proxy. I read the
> following today (see URL) and don't know if it could be describing the
> culprit.... "Integrated Windows authentication is disabled by default if
> you
> install Windows Server 2003 Service Pack 1 (SP1) as part of a slipstream
> installation of a Windows Server 2003 operating system". I did find out
> that
> our build was a "slipstreamed" version of Win2K3 with SP-1, but I don't
> want
> to wipe the install, reinstall Win2K3, then install SP-1 over it, only to
> find out that this isn't going to fix the problem.
>
> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr =true
>
> Cheers,
>
> Alexander
>
>
> "Ken Schaefer" wrote:
>
>> After this request, do you see a succesful 200 OK request being logged?
>> The
>> request line below looks like part of a NTLM authentication handshake.
>>
>> Cheers
>> Ken
>>
>> "Alexander Ferrugia" wrote
>> in
>> message news:9B020444-0083-4729-8FD0-EC88C6E53D45@microsoft.com...
>> > Hi:
>> >
>> > I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows
>> > Server 2003 w/ SP-1. When I navigate to my site (locally or from
>> > another
>> > network computer) in Internet Explorer I'm being prompting for a
>> > network
>> > username/password. I believe have configured the server properly in
>> > ISS,
>> > have the correct NTFS file permissions, etc.
>> >
>> > I would really like to know what sc-win32-status 2148074254 refers to
>> > (see
>> > my IIS log below). Anyone have any ideas? I know that the 401.2 error
>> > means
>> > "denied by server configuration" and often means a protocol issue
>> > between
>> > the
>> > browser and IIS. I'm not trying to do anything special here, just want
>> > to
>> > use plain vanilla Windows Authentication. I have anonymous access
>> > turned
>> > off
>> > for my site in IIS (my application requires this) but when I allow
>> > anonymous
>> > access the error goes away.
>> >
>> > I have attached my [truncated] IIS log below. Please let me know if
>> > you
>> > require any additional details about my environment. Any help that
>> > anyone
>> > can offer would be greatly apprecaited. I'm running out of ideas.
>> >
>> > Thanks in advance,
>> >
>> > Alexander
>> >
>> > ---SOF---
>> >
>> > #Software: Microsoft Internet Information Services 6.0
>> > #Version: 1.0
>> > #Date: 2006-06-23 17:04:28
>> > #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query
>> > s-port
>> > cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
>> > 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET
>> > /eProfitStartup.aspx -
>> > 80
>> > - 10.34.43.11
>> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET +CLR+1.1.4322)
>> > 401 2 2148074254
>> >
>> > ---EOF---
>> >
>>
>>
>>

Re: security error in IIS logs (401.2 error)

"Alexander Ferrugia" wrote in
message news:98A1BB53-1656-4F46-9DE4-89472DEE7906@microsoft.com...
> Thanks for the response, Ken:
>
> No, I do not get a 200 OK later in the log (posted in my original
> message).
> The first line that you see in the log is repeated over and over with the
> same error each time anyone attempts to access a page in my ASP.NET
> application. The only way I can get a 200 OK is if I manually enter in my
> username/password. It will keep prompting you over and over as you travel
> to
> new pages.

So you do get a 200 OK if you type in your username/password? But when you
attempt to load the next page, you get another 401, then you need to enter
your username/password again and then you get a 200? Something like:

401 page1.aspx
200 page1.aspx
401 page2.aspx
200 page2.aspx

Do you have HTTP keep-alives enabled for this web site/web application?

>
> I initially thought it was being blocked by a proxy on our network.

If there was an intervening proxy, you probably wouldn't be able to load the
pages at all. You'd just get 401s all the time.

Cheers
Ken


The
> network guys don't think I should be going through the proxy. I read the
> following today (see URL) and don't know if it could be describing the
> culprit.... "Integrated Windows authentication is disabled by default if
> you
> install Windows Server 2003 Service Pack 1 (SP1) as part of a slipstream
> installation of a Windows Server 2003 operating system". I did find out
> that
> our build was a "slipstreamed" version of Win2K3 with SP-1, but I don't
> want
> to wipe the install, reinstall Win2K3, then install SP-1 over it, only to
> find out that this isn't going to fix the problem.
>
> http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr =true
>
> Cheers,
>
> Alexander
>
>
> "Ken Schaefer" wrote:
>
>> After this request, do you see a succesful 200 OK request being logged?
>> The
>> request line below looks like part of a NTLM authentication handshake.
>>
>> Cheers
>> Ken
>>
>> "Alexander Ferrugia" wrote
>> in
>> message news:9B020444-0083-4729-8FD0-EC88C6E53D45@microsoft.com...
>> > Hi:
>> >
>> > I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows
>> > Server 2003 w/ SP-1. When I navigate to my site (locally or from
>> > another
>> > network computer) in Internet Explorer I'm being prompting for a
>> > network
>> > username/password. I believe have configured the server properly in
>> > ISS,
>> > have the correct NTFS file permissions, etc.
>> >
>> > I would really like to know what sc-win32-status 2148074254 refers to
>> > (see
>> > my IIS log below). Anyone have any ideas? I know that the 401.2 error
>> > means
>> > "denied by server configuration" and often means a protocol issue
>> > between
>> > the
>> > browser and IIS. I'm not trying to do anything special here, just want
>> > to
>> > use plain vanilla Windows Authentication. I have anonymous access
>> > turned
>> > off
>> > for my site in IIS (my application requires this) but when I allow
>> > anonymous
>> > access the error goes away.
>> >
>> > I have attached my [truncated] IIS log below. Please let me know if
>> > you
>> > require any additional details about my environment. Any help that
>> > anyone
>> > can offer would be greatly apprecaited. I'm running out of ideas.
>> >
>> > Thanks in advance,
>> >
>> > Alexander
>> >
>> > ---SOF---
>> >
>> > #Software: Microsoft Internet Information Services 6.0
>> > #Version: 1.0
>> > #Date: 2006-06-23 17:04:28
>> > #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query
>> > s-port
>> > cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
>> > 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET
>> > /eProfitStartup.aspx -
>> > 80
>> > - 10.34.43.11
>> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET +CLR+1.1.4322)
>> > 401 2 2148074254
>> >
>> > ---EOF---
>> >
>>
>>
>>

RE: security error in IIS logs (401.2 error)

Found the solution to my problem and thought I would share:

Short story: Had to make a DNS entry for the IP address of the site name
that I was using to host my ASP.NET application.

More detailed story: I noticed that everything worked when I added the IP
address as a "trusted site" in Internet Explorer. Without having this
address added as a trusted server it would prompt me. I noticed that when I
pinged a computer name in a command window, it would show up as the fully
qualified name (sitename.domain). Therefore IE or TCPIP is getting
information back from the DNS lookup in some fashion and it knows that this
site is a "trusted site" -- although IE or TCP does not know this information
if I try to use the actual IP address (instead of the name).

This may just have something to do with our network settings. It is
interesting though because we have a large global network largely managed by
Microsoft (from the software side), so I imagine other people have or will
run into this problem in the future. For those people, I hope reading this
post helps.

Cheers,

Alexander


"Alexander Ferrugia" wrote:

> Hi:
>
> I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows
> Server 2003 w/ SP-1. When I navigate to my site (locally or from another
> network computer) in Internet Explorer I'm being prompting for a network
> username/password. I believe have configured the server properly in ISS,
> have the correct NTFS file permissions, etc.
>
> I would really like to know what sc-win32-status 2148074254 refers to (see
> my IIS log below). Anyone have any ideas? I know that the 401.2 error means
> "denied by server configuration" and often means a protocol issue between the
> browser and IIS. I'm not trying to do anything special here, just want to
> use plain vanilla Windows Authentication. I have anonymous access turned off
> for my site in IIS (my application requires this) but when I allow anonymous
> access the error goes away.
>
> I have attached my [truncated] IIS log below. Please let me know if you
> require any additional details about my environment. Any help that anyone
> can offer would be greatly apprecaited. I'm running out of ideas.
>
> Thanks in advance,
>
> Alexander
>
> ---SOF---
>
> #Software: Microsoft Internet Information Services 6.0
> #Version: 1.0
> #Date: 2006-06-23 17:04:28
> #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port
> cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
> 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET /eProfitStartup.aspx - 80
> - 10.34.43.11
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET +CLR+1.1.4322)
> 401 2 2148074254
>
> ---EOF---
>