We've deployed an asp.net site and WCF services in IIS, and can access the site and services remotely with no issues. We have site bindings set up in order that for remote calls we're using https, and we use the URL Rewrite IIS add-in to redirect requests to https if they are http requests. All requests are working remotely, however when we actually log onto the Windows 2008 Server, open up IIS 7.5 and try to browse the content locally on the server we get a credential challenge Title: "Windows Security" Message: "Connecting to {server name}" with ok/cancel buttons.
I'm logged into the server with the same credentials that I'm accessing the web site on from my local machine.
Any ideas?
The error message that come is as below:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'.
The authentication header received from the server was 'NTLM,Negotiate'.
As mentioned this error does not come when the service is accessed remotely. This only happens while calling the service from the server where it is hosted. Probably some setting in IIS?
As the Exception says, the authentication schemes do not match. Your client does not offer NTLM. Please check the internet explorer enhanced security configuration and see if it is active or see if it is restricted otherwise to use NTLM.
Related
I have IIS 8.5.9600.16384 running on Windows Server 2012R2 and a website configured as application with separate application pool.
In IIS Authentication only "Anonymous Authentication" is enabled. To perform authentication, my site uses it's own login prompt and calls a .net core backend with basic schema, something like
POST /mycorebackend/login
with http header
Authorization: Portal base64encoded_username_and_password_here
Everything works just fine if authentication is successful and backend responds with HTTP OK.
But if backend returns 401 Unauthorized I've got pop-up from IIS asking me to provide credentials, like I'm trying to access a folder with some content, but I'm not.
I just need to get my 401 error and continue my js execution without any prompts.
Can anyone help or at least give a me hint where to search for?
I think this may be related to IIS-kestrel integration or so... For some reason IIS tries other schemes or so...
Thank you
I think you are looking for these settings. that should resolve it
I've been developing a web application calling an authenticated web service located on another server through the use of delegation of authentication and Kerberos. Everything is working fine when the user authenticates through a browser/desktop located on the same network as the server (Intranet context). When the desktop is on another network than the servers (ex: from Internet), I get prompted for credentials, which is expected. After that the web services server returns "The remote server returned an error: (401) Unauthorized." message. This happens even if I add my web application to the "intranet" or "trusted site" Security Zone in Internet Options, in Internet Explorer (11). I also tried with Chrome but same result. I don't understand what creates that error. I expected the behaviors to be the same on both networks. Maybe someone has an idea for the cause of that behavior?
Attached is a diagram to help clarify the context.
The reason it cannot work is that the connection falls back to NTLM instead of using Kerberos. Therefore, delegation of authentication is not possible.
I recently created a web service which all worked fine until I moved it from my local PC to our development server. I now get a HTTP status 401: Access Denied message when I try to connect from a small test website. I googled around and found the following code:
SoiisdevJobService.JobsService jService = new SoiisdevJobService.JobsService();
jService.Credentials = System.Net.CredentialCache.DefaultCredentials;
And it now works, but I'm not sure what this code actually does. Can someone explain it to me? I'm using IIS 6, Windows auth, and in my config I've set the auth mode to Windows and to deny non-authed users. In my small test app I've set the same in my config.
Why do I need to provide the code above? I expected this to just work.
It is because you have turned off access for non-authenticated users. See the quote below from the Microsoft website (http://support.microsoft.com/kb/811318/EN-US):
When Anonymous access authentication is turned off for the Web service
application, all the caller applications must provide the credentials
before making any request. By default, the Web service client proxy
does not inherit the credentials of the security context where the Web
service client application is running.
I have a web application (say app1) which is hosted in a IIS server virtual directory.
This web application needs Integrated Windows Authentication for its functioning.
I need to integrate this web application with another product which does not use supply me windows credentials.
This application sends me an http request in a specific format.
I need to validate the request and redirect it to app1 with valid windows credentials so that it logs in smoothly.
I have created another application for this purpose
This is hosted on a separate virtual directory.
It has IIS anonymous and asp.net anonymous authentication enabled.
the pseudo code is as follows :
app2
parse request
if request sucessful
get windows credentials
get identity using credentials
reponse.redirect(app1.aspx)
But app1 authentication fails, IE asks me for credentials again.
Ideally IE should not ask me for credentials.
What would be the security context sent in the request to app1.
How can I trace the authentication failure at iis and asp.net?
To do this you need a trust relationship between the domains.
The response.redirect just sends a response back to the browser which then makes a request for the page in the redirect. So the identity is the identity of the browser.
I have a web service running in IIS 6.0 on Windows 2003. It's authentication mode is Integrated Windows security (anonymous disabled), and authorization is done with Authorization Manager and an XML authorization store. My test user is a domain user (admin, actually) with membership in an authorized role.
I am testing this (for now) on the web server (localhost), and using (for now) Internet Explorer to access the web service (.asmx).
I can successfully open the web service (wsdl) page through localhost, like this:
http://localhost:8080/MyService/MyService.asmx
Using this url, integrated windows authentication succeeds (silently), and I am sucessfully authorized by AzMan to access the service. The same goes for the server name:
http://myserver:8080/MyService/MyService.asmx
Now I need to use the external host name (www.mysite.no) to access the service (this in order to get ssl to work with a certificate issued to that sitename). To do this, I add the host name to my HOSTS file, like this:
127.0.0.1 www.mysite.no
...then type this into IE:
http://www.mysite.no:8080/MyService/MyService.asmx
What happens then is that authorization fails. I get the IE/Windows login box and enter my correct credentials three times. Then I get a 401.1:
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Internet Information Services (IIS)
How is authorization through AzMan influenced by the host name?
Edit: I have reason to believe AzMan has nothing to do with it - it seems to be the authentication that fails.
I have reproduced the problem on another server. The essence seems to be that accessing localhost via an entry in the local host file somehow messes up the integrated windows authentication between the browser and IIS.
I have worked around the problem, now my curiosity is all that's left...
Enable audit login failure auditing & check the security event log on the host.
1) On the webserver, go to Control Panel, Administrative Tools, Local Security Policy.
2) Go to local policies, audit policy. Add failure for 'audit logon events'.
3) Close the MMC. Open a command prompt and type gpupdate.
4) browse to http://www.mysite.no. You will get the error again.
5) Launch event viewer (control panel, admin tools, event viewer). Navigate to the security event log and look for the login failure(s).They shoudl tell you something descriptive, like 'the user has not been granted the specified logon type'. Unfortunately the login type itself is not descriptive; logon type 2 is interactive (locally), 3 is 'access this computer over the network', 5 is 'logon as a service' (NT service, not WCF service). The rights required can be granted in the local security policy.
Also, check to see if you have a proxy enabled in IE. If your traffic is being routed to the proxy, it is possible that the proxy does not support NTLM. Add the host as a proxy exception while you test using IE.
My first guess is that it's not the host name.
The first thing to do is narrow down the problem as there are a couple things that could be going wrong.
First set the IIS site to anonymous access, and make sure you can pull up the web service. That will verify that you're accessing the right IIS web site and it's truly narrowed down to an authorization problem.
Also, check the Application Pool credentials, and the security settings on the file folder containing the web service as these could be contributors.