28

I am having a problem with getting windows authentication to work on IIS 7.5. The application is an internal site built in asp.net MVC 3. The application pool is using a specific domain user and the site is using windows authentication. Every time I try to launch the site IE prompts me for a login.

If I cancel enough the site comes up, messed up looking, but it has my name associated with my windows log in displayed at the top. So that tells me that the site is picking up my windows credentials correctly.

I added the Network local user to have read access to the inetpub folder on the server and now it doesn't prompt for login with IE 8. But on chrome I get this error "Error 338 (net::ERR_INVALID_AUTH_CREDENTIALS): Unknown error.".

It is in our intranet sites zone. I should have stated this but I forgot. The site used to work on our old development server but when I upgraded to Win 2008 R2 with IIS 7.5 it stopped working. Used to be on 2003 with IIS 6.0.

I am wondering if any one has any idea what else I can try. I am pretty much spinning my wheels at this point.

I have tried all of the solutions in the links below and none of them have fixed the problem

http://forums.iis.net/t/1177154.aspx

http://forums.iis.net/t/1178188.aspx

Receiving login prompt using integrated windows authentication

http://warnajith.blogspot.com/2011/06/iis-75-401-unauthorized-access-error.html

http://forums.asp.net/t/1639511.aspx/1

https://superuser.com/questions/128746/iis-asks-for-login-pass-when-accessed-using-hostname-but-not-when-localhost-is

http://ask.metafilter.com/183636/Prompted-for-a-username-and-password-when-browsing-to-an-IIS-virtual-directory

IIS 7 and Windows Authentication

Community
  • 1
  • 1
divide_byzero
  • 790
  • 2
  • 9
  • 24

7 Answers7

23

Related Note: If you are trying to replicate your site on localhost, and windows authentication is enabled and still fails, the solution is some registry hacking to avoid the loopback check:

Using regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 Add a new Multi-String Value to MSV1_0 and name it BackConnectionHostNames Add the host names you wish to use. Example, "mysite.com". Restart the IIS.

Source link

The value should be the website name in your windows hosts file.

Also to be able to access a non-authenticated /data folder using PHP's file_get_contents, I had to add this to the applicationHost.config file, to prevent 401 errors.

<location path="mysite.com/data">
        <system.webServer>
            <security>
                <authentication>
                     <anonymousAuthentication enabled="true" />
                    <windowsAuthentication enabled="false" />
                </authentication>
            </security>
        </system.webServer>
    </location>
captainhero70
  • 694
  • 6
  • 8
  • I'm not going to apply the registry hack (just because I hate keeping track of reg changes), but reading this article revealed the problem: "Reflection Attacks". This is essentially when an attacker attempts to trick the host into providing an answer to its own challenge. Apparently IIS has a safety feature to prevent this. As a result, **you can only authenticate locally if your site uses the same name as your computer (or current domain).** This hack allows you to circumvent that restriction. – Ross Brasseaux Feb 03 '16 at 19:31
  • 1
    NOTE: I'd like to add that this hack was ONLY applied to my personal DEV box. It does NOT run like that in production. This was done to allow authentication for testing purposes. And having to make your site name the same as your computer name is a bit silly, if that is the case. – captainhero70 Mar 20 '16 at 18:12
  • This registry addition is the right answer! Like captainhero70 said: use on DEV box only; but so desperately needed there. It is silly how hard it was to find this correct answer! – Klompenrunner Mar 19 '19 at 20:30
18

I found the answer to this. It is a config setting that isn't mapped in the GUI. I had to go into the application host config file located at <%SystemDrive%>/Windows/System32/inetsrv/config and change the below settings.

default settings where

<windowsAuthentication enabled="true"> <providers> <add value="Negotiate" /> </providers> </windowsAuthentication>

Changed to this and it worked.

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true"> <providers> <add value="NTLM" /> </providers> </windowsAuthentication>

divide_byzero
  • 790
  • 2
  • 9
  • 24
  • 1
    that's machine level configuration, i suppose if you add that to your web.config, it should also work. – Ray Cheng Sep 24 '12 at 16:05
  • 2
    It had to be at the machine level. It was already set up that way in the web configs. – divide_byzero Sep 26 '12 at 12:51
  • 8
    I've had a similar problem before and resolved by navigating to IIS > web app > authentication > windows authentication > right-click > Providers > change NTLM to be the top one. I suspect it's a problem with Kerberos authentication not working or something like that. There are some great articles on Kerberos in this series http://technet.microsoft.com/en-us/library/ms191153.aspx which would help with troubleshooting further if you so desire. – Rory Jan 10 '13 at 00:33
  • 2
    I had tried that Rory but it still didn't work until I set the useKernelMode and useAppPoolCredentials to true. For some reason it wasn't picking those settings up in the web config and I had to do it at the machine level. Sorry it took me so long to post an answer back to this. – divide_byzero Mar 06 '14 at 08:24
  • @divide_byzero Hello I tried to follow your instruction. Still didn't work. I have updated applicationhost.config and in IIS, enabled windows authentication and disabled others authentication. What else I need to configure? – Thit Lwin Oo Mar 09 '15 at 18:44
  • @Thit Lwin Oo did you try the registry hack that captainhero70 talks about? I would try that. Other than that I am not sure what may be wrong. – divide_byzero Mar 13 '15 at 03:34
  • If this fixed it it's most likely because the actual server name (Service Principal Name or SPN) doesn't match the name you're connecting to it with--as in the case of using DNS and virtual hosting. Note that by switching from Kerberos (Negotiate) to NTLM, you're switching from delegation to impersonation. This can have unwanted side effects such as preventing you from doing another hop over the network as the authenticated user (say, to the database). Look into using SetSPN. (Or, if you're just doing it on your local computer with a custom DNS name, see captainhero70's answer.) – ErikE Aug 07 '15 at 22:20
  • This is the life saver for me. I had the NTLM and the Negotiate as providers enabled and it kept prompting for logon screen in all the browsers. After i removed Negotiate, it stopped prompting. THANKS – Ak777 Jul 15 '20 at 05:55
  • @ak777 Glad that it helped. Always nice to know that my solution helped people out. – divide_byzero Jul 30 '20 at 18:00
  • In case anyone is wondering where to place these elements: https://learn.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/windowsAuthentication/#configuration-sample – derekbaker783 Mar 28 '23 at 01:02
6

In order for integrated credentials to be passed by IE, the site needs to be in your Intranet sites zone. It cannot be in trusted sites or any other sites.

Steven Murawski
  • 10,959
  • 41
  • 53
  • It is in our intranet sites zone. I should have stated this but I forgot. The site used to work on our old development server but when I upgraded to Win 2008 R2 with IIS 7.5 it stopped working. Used to be on 2003 with IIS 6.0 – divide_byzero Sep 20 '12 at 17:40
  • I can't thank you enough; this was the last step of many needed. Wish IE was smart enough to figure this out anyway, IMHO.... but thanks! – JosephDoggie Nov 26 '14 at 22:21
2

I had a similar problem and it was fixed by adding the users group (MYDOMAIN\Users) to the physical folder of the application with read permissions.

rhysp
  • 21
  • 1
  • I have a similar problem/solution http://stackoverflow.com/questions/14120734 that I'm not happy with - any ideas why this is required? – Rory Jan 10 '13 at 00:29
2

i have a similar problem that is only solved by moving NTLM on top of kerberos in the providers as explained by Rory, or by modifying DNS. The problem only occurs in IIS7 when the host header of the website exists as a CNAME (alias) in the DNS. in IIS6, Integrated Windows Authentication only uses NTLM by default. in IIS7, IWS uses kerberos before NTLM by default. Replacing the CNAME record with an A record solves the problem. Kerberos has no problems with A records in DNS, but it has problems with aliases.

So apparantly DNS CNAMEs are not compatible with kerberos on Windows 2008.

chris

Chris van de vijver
  • 29
  • 1
0

If the browser prompts you for credential, I think your app pool credential don't have access to some of the resources on your page. Have you tried to create a blank html page and access to that page?

<html>
<body>
hello world!
</body>
</html>
Ray Cheng
  • 12,230
  • 14
  • 74
  • 137
  • Yes I tried that with no luck. Tried adding the application pool and the user used to log in to the application pool. – divide_byzero Sep 24 '12 at 11:03
  • Have you tried to monitor the traffic with Fiddler? It should tell you the request and response code for each resource on your page. The HTTP response code should be the starting point. – Ray Cheng Sep 24 '12 at 15:14
  • I already fixed the problem. It was basically configuration settings that weren't set properly and they didn't allow the authentication to happen like it should. Thank you though. – divide_byzero Sep 24 '12 at 15:59
0

I have a similar problem.

I had an application under Default Web Site that already had Windows authentication enabled but didn´t worked. I solved disabling anonymous authentication on Default Web Site and also Enabling Windows authentication on Default Website.

FTF
  • 5
  • 3