Integrated Authentication Problem

We have an IIS 6.0 website hosted on Win Server 2003 SP1 that uses Windows
Integrated Authenication. Clients are XP SP2 with IE6 or IE7. All have latest
patches. Website listed in the Trusted Sites list in IE. Windows Integrated
Authentication enabled in IE.

The problem is that approximately 5% of our users get prompted for a
username and password whenever they access this website.

Even with correct credentials, they are prompted repeatedly. After 3
attempts they get an HTTP 401.2 error. This happens to these users regardless
of which PC they use. If when prompted, a user enters the credentials of a
user that doesn't have this problem, the website works correctly for that
browser session. Therefore we have concluded this is a problem related to
certain user accounts.

I have worked through many Microsoft documents about 401 errors and Kerberos
authentication troubleshooting, but none have helped.

I have checked the Security log in Event Viewer on the IIS server, there are
successful Kerberos entries for 538, 540 and 576. There are no Kerberos
failures listed. In the IIS logs, the only entry is for HTTP 401.2 errors.

What possible causes are there of HTTP 401.2 errors consistently affecting
only a small set of users?

RE: Integrated Authentication Problem

Here's a sample from the IIS log file where a user received the login prompt.

As you can see, the HTTP statuses are as follows:
401.2
200.0
401.2
500.0
401.1

2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/ - 80 - 10.5.11.9
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
401 2 2148074254
2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.html - 80
HSAGROUP\kmccaughan 10.5.11.9
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
200 0 0
2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.jsp - 80 - 10.5.11.9
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
401 2 2148074254
2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /jakarta/isapi_redirector.dll - 80
HSAGROUP\kmccaughan 10.5.11.9
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
500 0 0
2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.jsp - 80 - 10.5.11.9
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
401 1 0

Re: Integrated Authentication Problem

The 401.2 with Win32 status of 2148074254 is Sec_E_No_Credentials. It
appears that your browser is not sending any credentials to the server
cs-username appears to be blank.

500 is Internal Server Error - you might want to look into that.

200 indicates that this particular resource is being served correctly - that
appears for the request after the first request, when the user first sends
credentials.

Usually 401.2 is generated by ISAPI extension or ISAPI filter (i.e. not by
IIS directly, e.g. due to NTFS permissions). So you probably need to look at
whatever ISAPI extension/filters you are running to see under what
conditions they generate these Access Denied errors.

Cheers
Ken

"Rob Collins" wrote in message
news:A38D6D1A-3875-4902-AD76-479366DFB7D7@microsoft.com...
> Here's a sample from the IIS log file where a user received the login
> prompt.
>
> As you can see, the HTTP statuses are as follows:
> 401.2
> 200.0
> 401.2
> 500.0
> 401.1
>
> 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/ - 80 - 10.5.11.9
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> 401 2 2148074254
> 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.html - 80
> HSAGROUP\kmccaughan 10.5.11.9
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> 200 0 0
> 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.jsp - 80 -
> 10.5.11.9
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> 401 2 2148074254
> 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /jakarta/isapi_redirector.dll -
> 80
> HSAGROUP\kmccaughan 10.5.11.9
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> 500 0 0
> 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.jsp - 80 -
> 10.5.11.9
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> 401 1 0

Re: Integrated Authentication Problem

Thank you for your help Ken. That makes sense.

The website is part of an application provided by a third party. We will
upgrade it very soon, so I'm hoping that the ISAPI_redirector.dll that you
can see in the IIS logs will be updated too. I'll post back here if this
fixes the problem.

Thanks again.

Rob

"Ken Schaefer" wrote:

> The 401.2 with Win32 status of 2148074254 is Sec_E_No_Credentials. It
> appears that your browser is not sending any credentials to the server
> cs-username appears to be blank.
>
> 500 is Internal Server Error - you might want to look into that.
>
> 200 indicates that this particular resource is being served correctly - that
> appears for the request after the first request, when the user first sends
> credentials.
>
> Usually 401.2 is generated by ISAPI extension or ISAPI filter (i.e. not by
> IIS directly, e.g. due to NTFS permissions). So you probably need to look at
> whatever ISAPI extension/filters you are running to see under what
> conditions they generate these Access Denied errors.
>
> Cheers
> Ken
>
> "Rob Collins" wrote in message
> news:A38D6D1A-3875-4902-AD76-479366DFB7D7@microsoft.com...
> > Here's a sample from the IIS log file where a user received the login
> > prompt.
> >
> > As you can see, the HTTP statuses are as follows:
> > 401.2
> > 200.0
> > 401.2
> > 500.0
> > 401.1
> >
> > 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/ - 80 - 10.5.11.9
> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> > 401 2 2148074254
> > 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.html - 80
> > HSAGROUP\kmccaughan 10.5.11.9
> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> > 200 0 0
> > 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.jsp - 80 -
> > 10.5.11.9
> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> > 401 2 2148074254
> > 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /jakarta/isapi_redirector.dll -
> > 80
> > HSAGROUP\kmccaughan 10.5.11.9
> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> > 500 0 0
> > 2007-03-14 10:49:34 W3SVC1 10.0.10.21 GET /policy/index.jsp - 80 -
> > 10.5.11.9
> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET +CLR+1.1.4322)
> > 401 1 0
>
>

Re: Integrated Authentication Problem

I was troubleshooting the same problem as was finally able to resolve
it. Here is what I found out and maybe it will work for you too.

I have Integrated Authentication setup for my website. When I would
browse to one page it would come up fine, I would browse to a different
page and it would prompt for login credentials. Well what I noticed was
that the page that was asking for login credentials had some image files
in it. Well I keep my image files in an image folder in the same
directory as my website. I went into IIS and under my website checked
the security on my images folder, it was set to Integrated
Authentication. Well I set that to anonymous access and now everything
works great! The website is still configured for Integrated
Authentication and I can still extract user login information no
problem. Hope this helps as I have spent a significant amount of time
on this issue.

Regards,
Mike


*** Sent via Developersdex http://www.developersdex.com ***

Re: Integrated Authentication Problem

I'm glad you found a satisfactory resolution, but I do not think it is
for the same problem nor correct resolution.

It sounds like you have KeepAlive disabled for the directory
containing your images because normally the browser would just re-use
the authenticated connection established to that web server to access
another URL under that website. Or you may have a intervening proxy
breaking the authenticated connection and triggering an unexpected 401
which would cause the login dialog to appear. Something is causing the
browser to not re-use the authenticated connection, and it is
happening unexpectedly to the browser.

In other words, what you observe is usually some networking
misconfiguration or server-side application error.

You are "working around" it in your case by making the images not
require authentication. However, that does not resolve the real
problem, so it is not the correct resolution.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Mar 29, 10:58 am, Mike Sadowski wrote:
> I was troubleshooting the same problem as was finally able to resolve
> it. Here is what I found out and maybe it will work for you too.
>
> I have Integrated Authentication setup for my website. When I would
> browse to one page it would come up fine, I would browse to a different
> page and it would prompt for login credentials. Well what I noticed was
> that the page that was asking for login credentials had some image files
> in it. Well I keep my image files in an image folder in the same
> directory as my website. I went into IIS and under my website checked
> the security on my images folder, it was set to Integrated
> Authentication. Well I set that to anonymous access and now everything
> works great! The website is still configured for Integrated
> Authentication and I can still extract user login information no
> problem. Hope this helps as I have spent a significant amount of time
> on this issue.
>
> Regards,
> Mike
>
> *** Sent via Developersdexhttp://www.developersdex.com***

Re: Integrated Authentication Problem

On Mar 29, 4:37 pm, "David Wang" wrote:
> I'm glad you found a satisfactory resolution, but I do not think it is
> for the same problem nor correct resolution.
>
> It sounds like you have KeepAlive disabled for the directory
> containing your images because normally the browser would just re-use
> the authenticated connection established to that web server to access
> another URL under that website. Or you may have a intervening proxy
> breaking the authenticated connection and triggering an unexpected 401
> which would cause the login dialog to appear. Something is causing the
> browser to not re-use the authenticated connection, and it is
> happening unexpectedly to the browser.
>
> In other words, what you observe is usually some networking
> misconfiguration or server-side application error.
>
> You are "working around" it in your case by making the images not
> require authentication. However, that does not resolve the real
> problem, so it is not the correct resolution.
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> //




I did check the KeepAlive and it is enabled for the website. I did
fail to mention in my prior post that I do not get the login
credentials prompt when I access the page through IE, only when I try
and access it from a web enabled outlook folder that I am using for an
outlook Add-in I created. Being so, it is a bit tricky to isolate the
root cause. Any other possible thoughts, etc. on why this might be?

Thanks,

Mike

Re: Integrated Authentication Problem

On Mar 30, 10:52 am, "Mike" wrote:
> On Mar 29, 4:37 pm, "David Wang" wrote:
>
>
>
>
>
> > I'm glad you found a satisfactory resolution, but I do not think it is
> > for the same problem nor correct resolution.
>
> > It sounds like you have KeepAlive disabled for the directory
> > containing your images because normally the browser would just re-use
> > the authenticated connection established to that web server to access
> > another URL under that website. Or you may have a intervening proxy
> > breaking the authenticated connection and triggering an unexpected 401
> > which would cause the login dialog to appear. Something is causing the
> > browser to not re-use the authenticated connection, and it is
> > happening unexpectedly to the browser.
>
> > In other words, what you observe is usually some networking
> > misconfiguration or server-side application error.
>
> > You are "working around" it in your case by making the images not
> > require authentication. However, that does not resolve the real
> > problem, so it is not the correct resolution.
>
> > //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> > //
>
> I did check the KeepAlive and it is enabled for the website. I did
> fail to mention in my prior post that I do not get the login
> credentials prompt when I access the page through IE, only when I try
> and access it from a web enabled outlook folder that I am using for an
> outlook Add-in I created. Being so, it is a bit tricky to isolate the
> root cause. Any other possible thoughts, etc. on why this might be?
>
> Thanks,
>
> Mike- Hide quoted text -
>
> - Show quoted text -

Outlook has its own HTTP client access layer which is separate from
IE, so it all depends on what API and who is using that API. It may
not auto-authenticate as well as IE - I have certainly seen cases
where it is suboptimal in making HTTP requests that require more user
login prompt than expected.


//David
http://w3-4u.blogspot.com

Re:Integrated Authentication Problem

Did you ever get this resolved?
We are having the exact same problem at one customer site.