0

I have an issue I have been working on for a couple of weeks that has me stumped.

We are moving our dev environments from on premises to AWS EC2 instances, including our IIS server. This hosts a number of webservices, ASP.Net and .Net Core intranet applications.

The majority of these use Windows Authentication, and none are outside world facing.

Some of the applications work fine in both environments, but a number of them work in the on premises environment but not in the AWS environment and I either get a windows authentication pop up, or a 401 (unauthorized) "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'".

All of the applications run under a specific domain account with delegation privileges, and there is an SPN set up for that account to the SQL server that hosts the various application databases (also in AWS).

Under providers all applications have Negotiate first, then NTLM.

Most of the applications have only Windows Authentication enabled, some have ASP.Net impersonation enabled as well but there is no correlation with those have this set and that work and those that don't.

I tried setting DisableStrictNameChecking per this post: Unable to get windows authentication to work through local IIS

Other SO posts I have read:

ASP.net kerberos dropping down to NTLM sporadically

Add a Kerberos authentication to existing WebService in asp.net c#

WCF service access from client application when user is behind proxy

Error: The remote server returned an error: (401) Unauthorized

Many Web Service calls caused 401 Unauthorized response randomly

(401) Unauthorized error : WCF security/binding

One of the apps had the below sections in the web.config:

    <system.web>      
      <authorization>
        <allow users="*" />
        <!-- Allowing all users. If the users dont have access then they see this page.. -->
      </authorization>
    </system.web>
  </location>

  <system.web>
    <compilation targetFramework="4.7" />
    <authentication mode="Windows" />
    <identity impersonate="true" />
    <customErrors mode="Off" />
    <authorization>
      <allow roles="XXXX\Development/>
      <deny users="*" />
    </authorization>
  </system.web>

This app worked in AWS, and I got to the NoAccess.aspx page (I am not a member of the Development AD group). I then removed "location path" section of the config, restarted the app pool and got a login prompt (as expected).

When I added that section back in and restarted the app pool I no longer reach that page, just get an immediate 401 error with "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'".

Anyone have any ideas why this happens? I can't find a common tread between those apps that work and those that don't.

I turned on enhanced logging, and have seen the below warnings when running one of the apps that does not work. Interesting it shows I am authenticated (and I have rights to run that app).

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 6/8/2021 12:09:45 PM 
Event time (UTC): 6/8/2021 12:09:45 AM 
Event ID: fd6819aa0e4e4011a54d98790112c2f8 
Event sequence: 8 
Event occurrence: 1 
Event detail code: 0 
 
Application information: 
    Application domain: /LM/W3SVC/3/ROOT/ContactManagementApp-1-132675845823847857 
    Trust level: Full 
    Application Virtual Path: /ContactManagementApp 
    Application Path: D:\Applications\ContactManagementApp\ 
    Machine name: SRV123 
 
Process information: 
    Process ID: 1224 
    Process name: w3wp.exe 
    Account name: DOMAIN\SRV123-iis 
 
Exception information: 
    Exception type: WebException 
    Exception message: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

 
 
Request information: 
    Request URL: http://SRV123/ContactManagementApp/contact.aspx 
    Request path: /ContactManagementApp/contact.aspx 
    User host address: 123.123.123.123
    User: DOMAIN\userName 
    Is authenticated: True 
    Authentication Type: Negotiate 
    Thread account name: DOMAIN\SRV123-iis 
 
Thread information: 
    Thread ID: 7 
    Thread account name: DOMAIN\SRV123-iis 
    Is impersonating: False 
    Stack trace:    at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
 
 
Custom event details:

Any ideas what I need to look at for this? Could there be a timeout issue with kerberos?

guytz72
  • 419
  • 2
  • 14
  • You can take a look at: https://social.msdn.microsoft.com/Forums/vstudio/en-US/ab7c0abf-141f-48d5-b5ba-2a3129539019/the-http-request-is-unauthorized-with-client-authentication-scheme-anonymous-the-authentication?forum=wcf – Theobald Du Jun 15 '21 at 08:41
  • Thanks @theobald-du, that doesn't really explain why an app would work in one environment, but not the other as it refers to changing application specific config. – guytz72 Jun 15 '21 at 20:43

1 Answers1

0

I managed to fix this by setting up a Read Only Domain Controller in AWS. Working theory is that there is some sort of timeout issue with kerberos when talking back to the on premises DC's.

guytz72
  • 419
  • 2
  • 14