I am trying to develop a ASP.NET Core web application which uses Kerberos authentication and delegation to forward the identity of the authenticated user to another REST API (PI Web API). For more information about what exactly I am trying to do, check this question.
Currently, I configured the application to run on IIS by disabling Anonymous Authentication, enabling Windows Authentication and setting Negotiate:Kerberos as the only authentication provider in the Windows Authentication settings.
When I try to open the web application on any machine in the same network (even on the same server the IIS runs on), my user credentials are not accepted and I get a 401 error returned by the IIS. When I check the Security Eventlogs on that server, I can sometimes see a successful logon with Kerberos (event ID 4624) for the user with the credentials I typed into the login dialog in the browser. Strangely, this is not always the case. For example, sometimes I try it again a day later and then there is nothing logged in the Eventlogs at all regarding the login. When I look into the IIS logs for the site, I see entries like this:
2022-05-17 10:57:55 ::1 GET / - 8095 - ::1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 401 1 2148074248 609
or this:
2022-05-23 10:48:54 192.168.XXX.XXX GET / - 8095 - 192.168.XXX.XXX Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/101.0.0.0+Safari/537.36 - 401 1 2148074254 8
After consulting our network admin and also doing some research on my own, I cannot figure out what causes these errors and what can be done in order to fix it. Right now I cannot even reproduce any of those errors reliably, because they seem to change from time to time without me even changing anything.
What could be the problem here?
