BACKGROUND : I have an IIS 7.5 site containing thirteen different web applications where each application is simply hosting different web services. Nothing fancy. Here is a graphical view of the site.
Each of the web applications are running under their own application pool, all running .NET 4.0 Integrated Pipeline under the ApplicationPoolIdentity.
At the site level I have set the Authentication to be the following
When I try to access the web services within one web application I get 401 errors. All other web services in the other web applications can be accessed without errors.
Here is a snippet of the IIS log when the error occurs. The errors are the same when using a web service proxy class or when accessing the web service url via the browser.
Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.269) 401 2 5 17721
Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.269) 401 1 2148074254 15
If I access the Url directly from the browser I am prompted for my credentials. If I enter my domain credentials I still get the 401.1 error. :(
This error is repeatable on all devices in our domain, so it is not isolated to my machine.
I have verified the folder structure containing the web services in question has the same permission as the other folder structures of the twelve web services that work.
The Site is running in Kernel-mode authentication which is the default.
QUESTION: I'm a developer with limited knowledge of IIS. Anything else I could look at?
Thanks
The answer to my problem was rebooting my server. Still never got a definitive why the issue was occurring.
Related
I am in the deployment phase of two separate asp.net 4.5 web applications being put onto a server running asp.net 4.6. We use a mixture of windows 7 and windows 10. All computers are on the same domain and the server is running IIS 8.5. This intranet application is supposed to use windows authentication to either send a user with invalid credentials to a web page with an error message or give the person access to the site. The problem is that some users are getting prompted to login regardless of security group that they belong to.
I have added the domain to the company wide whitelist and set internet explorer to use automatic windows authentication on intranet websites. We have tried moving the site to a non-shared folder. We finally tried converting both of the web applications to a web site project and the security worked just fine. However, we don't want to use web site projects anymore and find this to be a temporary solution.
I have made certain that authentication has been set to windows.
When checking the IIS logs, I see the error codes 401 0 0 15 and 401 2 5 0. Maybe there is some other setting that we are overlooking when deploying? Any help would be greatly appreciated.
For your application to log in with your network's active directory, you need to configure windows authentication twice, the first one is from your application (Visual Studio) and the second one is in the IIS and you must convert the folder into an application and use the framework version correctly.
Visual Studio:
<system.web>
<authentication mode = "Windows" />
</system.web>
IIS:
Convert the folder to application by right clicking and "Convert to application", then select the application and go to the "Authentication" tab disable "Anonymous authentication" and enable "Windows authentication"
Greetings from Mexico.
Goal
I am trying to deploy an MVC3 application that requires Windows Authentication (specifically Kerberos) as an Application within an older asp.net Anonymous Authentication Website.
Symptoms
In IIS 7.5 Express on my box it works perfect, obviously. When I deploy it to IIS 7.5 as its own site I get challenged for domain credentials, though none are accepted. When I deploy it as an application I get the custom error page back from the hosting site. To confirm - Kerbtray shows no ticket in either scenario.
Details
Both the Site and the new child Apps run on the same application pool, and the application pool runs as AppPoolIdentity. That built-in IIS app pool account (IIS AppPool\MyAppPoolName) has full Read/Execute permissions down both the Site's and the App's folder trees. No impersonation is used.
Question(s)
Is there anything special I need to do to get NTLM and Kerberos working on an App inside an anonymous auth Site?
If not, any advice on things/places to look would be great - the ApplicationHost.config and the app's web.config files look fine.
EDIT: For clarification, this is all on a corporate network that uses Kerberos extensively for other purposes. "Site" refers to an IIS Website and is distinguished from an "Application" that must be hosted within an IIS Site.
After working on this a bit more, I found the answer:
Nothing special is needed to host a Windows (Kerberos) authenticated IIS App within an Anonymous authenticated IIS Site on IIS 7.5 so long as:
a. Kernel Mode Authentication is On - No SPNs required.
b. The application uses the same App Pool Identity as the hosting parent. Different App Pools and their identities can be used, but this does require further NTFS permissions and is beyond the scope of this particular issue.
The issue with my error was something much more simple yet elusive... the parent Site had a custom set of error pages defined in <HttpErrors> including pages for 401 and 403.
This was the error page returned when the user requested a page from the nested Application because Kerberos sends a 401 first, to challenge the user for credentials and ask/him her to get and provide a Kerberos ticket... but because the parent Site returned a 200 response (the custom error page) the user never got a Kerberos ticket.
With these off, the user is now appropriately getting a Kerberos ticket and falls back to NTLM as by default.
My host is having issues getting my MVC3 app to work on their server, so I though I'd check it out myself. Until now I've been too busy developing under the built in server to worry about IIS, but today I tried my first deployment to the host with no joy. Then I tried one to my local IIS, with no joy. Then I tried telling VS to use IIS for debugging, to maybe resolve some local issues, with no joy.
What steps and configuration are required to use local IIS 7.5 to debug an MVC3 application?
EDIT: Going through a browser, after clearing up a permission problem for my Windows user on Temp ASP.NET Files, I now site with a I get a HTTP Error 403 (Forbidden), but the occassional basic auth login dialogue. Here I have tried a Forms auth user, my normal Windows user, and my Windows admin user, all to no avail.
When I try and debug under VS, I get a 500, internal error.
THE PLOT THICKENS: When I enable directory browsing on the site, I get a proper directory listing for the site root url. This suggests the the MVC3 routing is not working, but why not?
If you're getting a directory listing that means there's not a default file set (for IIS6). It usually means the request wasn't routed to IIS to deal with. thing are slightly different with II7 & it's integrated pipeline.
Simon
I have two web site sites on IIS 7 (Default, Custom). Both Sites host the same web application.
Some of the web application behavior changes depending under what web site it is running. Is there a way for the web application to find out what is the name of the WebSite under which it is handling the current request.
Thank you
Imran
System.Web.Hosting.HostingEnvironment.SiteName
will get you the site name as it appears in IIS
Request.Url.Authority
will get yo the requesting url
I'm stumped. I've got an asp.net mvc app being hosted on a shared hosting provider. The configuration of their system leaves a little to be desired, but it's cheap (getting what I pay for I suppose...)
The problem is this: The application is hosted at the root level of the hosting account. I have a virtual directory established underneath the root that is running a .net 2.0 web app along with a web service. I can access the web service directly via the domain/subdirectory url. The main web app (at the root level) needs access to the web service in the virtual (subdirectory). Locally in development, I can run the app against the web service out on the hosting server and it runs just fine. When I push the web app up to the root of the hosting service, I get "The remote name could not be resolved: ".
At first I thought the error was related to the DNS settings of the primary domain since both the web app and web service technically live at the same domain. As part of just trying to get something working, I reverted the web app to reference an older version of the web service on a different server (different host altogether). Again, it works fine locally. When I push the updated web app, I got the same error, but noticed the host name referenced is that of the external domain. Of course, I can access the web service via the browser just fine.
Sorry if this doesn't make total sense... it's late and I'm beat from looking at this for the last few hours. Any help would be greatly appreciated.
EDIT
So the web app simply has a Web Reference to the web service (I could probably just restructure the app avoiding the web service altogether, but time is of the essence [for now]). Since I got stuck last night, I pointed the web reference back to an old server but the issue remains. Right now the url the web reference points to is http://road34.hi-fisoftware.com/webservices/giigsterservice.asmx.
If the server has a firewall then and an external ip and different internal ip then probably you will not be able to access the webservice with the domain name. you will need to access it as internal url or as relative url.