Re: Basic Authentication fails with Error 401.2 where Integrated s

When I see weird and erratic behavior, my first question is "do you
have custom ISAPI Filter installed on the server". Both global as well
as per-site.

The password dialog is supposed to appear for Basic authentication
*unless* the client is allowed to auto-login with Basic. That's not
allowed by default for security reasons. You hardly want the browser
to automatically hand over your login password to ANY website which
asks for it, right?

Thinking more esoterically now -- what are the login rights assigned
to your test user. IIS uses a specific login type (configurable), so
ability to login via remote desktop is insufficient proof that IIS can
login that user. See this URL for more info:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true

Usually the defaults when you just create a user via NET USER name
password /ADD will suffice, but sometimes Group Policies of a domain
can alter this behavior (even if you've unjoined this machine from a
domain).

Are you sure you don't have a proxy or network policy/device which is
simply forbidding Basic authentication altogether (because it exposes
the user's password)? For example, it'd be really easy for such a
proxy or network device (or even ISAPI Filter...) to simply strip off
the Authorization: Basic header being sent with your requests, at
which point since you don't have Anonymous enabled, IIS will return
401.2 EVEN THOUGH you have basic auth enabled -- because to IIS, your
request has been stripped to an anonymous by removing the
Authorization: Basic header. You can test this theory by temporarily
enabling Anonymous and Basic authentication and ACL'ing files to allow
access to the IUSR.

working with fails if the initial challenge isn't basic authentication and(as
I understand it, and please correct if this is wrong) IIS will try integrated
first and basic second if both are enabled.

Not exactly. IIS only advertises to the HTTP Browser the
authentication protocol it requires with a certain ordering. It is the
HTTP Browser which determines which authentication protocol to use. IE
will choose Integrated before Basic if both are enabled.

Brief explanation of what's going on here:

HTTP, like many network protocols, is a give-and-take sort of
protocol. When it comes to authentication, you can only configure the
server to REQUIRE certain authentication protocols to get access to
secured resources. If an HTTP browser requests the secured resource
without using the required authentication protocol, the server simply
responds 401.2 with a list of required protocols.

At this point, the browser can either choose to ignore the server's
suggestion (not wise), choose an authentication protocol to negotiate
(and pop up the login dialog as necessary by security/Internet Zone
settings), or auto-login with some credentials in a proprietary
algorithm. Now, since the browser is attempting to authenticate with a
requested authentication protocol, the server either replies:
- 401.1 if the username/password is incorrect
- 401.3 if the credentials are alright but the NTFS ACLs deny the
authenticated credentials access to the secured resource
- 401.4/401.5 if the credentials are alright but an ISAPI Filter/ISAPI
Extension denied access for arbitrary reason
- Anything else indicates the credentials are alright and action
according to HTTP status code was performed on the server


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Oct 26, 1:23 am, Jude Fisher <JudeFis...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Roger,

Yes, to restate the setup is as follows:

Test directory with simple static test page in it.

On the IIS directory security tab, anonymous access is disabled, digest
authentication is disabled, integrated authentication is disabled and basic
authentication only is enabled. The two text boxes at the bottom (domain and
realm) are empty.

On the windows explorer security dialog for the folder, the test user
account created has full permissions for the folder and the file that's in it.

I've tested that the user account can log on through remote desktop
connection and once logged on can open that directory and file using windows
explorer, so the NTFS permissions seem to be OK.

I then try to access the static page using internet explorer (either from my
remote machine or on the server via remote desktop). I've also tested with
firefox and safari. In all cases I get the same result. A windows security
dialog box pops up. I've tried entering every combination of
COMPUTERNAME\USER I can think of, prepending the workgroup (this computer
isn't part of a domain) instead of the computername etc. The dialog box just
pops up again and after a few attempts the page refreshes to a 401.2 error.
This behaviour is consistent if I use the administrator account for the
machine or any other account,

With both success and failure logging enabled I see nothing related to this
log in attempt in the security event log.

If I go back into the IIS directory security tab and enable integrated
security either instead of or in addition to basic authentication, then
refresh the browser, then the log in attempted works at the first time of
asking. This won't do for my purposes because the external provider we're
working with fails if the initial challenge isn't basic authentication and(as
I understand it, and please correct if this is wrong) IIS will try integrated
first and basic second if both are enabled.

I have tried this twice now with separate directories, starting from
creating the directory and step by step enabling and disabling all the
different settings and everything appears to work exactly as you expect it
would until I set directory security to use basic authentication only, and
then everything breaks.

Thanks again for your time in looking into this. I'm afraid I expect it
eventually to be something dumb and simple that I've missed - just hoping to
get to the bottom of it while I still have some hair left.

Jude Fisher / JcFx



"Roger Abell [MVP]" wrote:
OK. So I am assuming that your test.html is simple static html
that does not involve this vendors parts. I am also assuming
that when you set up /test you did set the NTFS permissions
directly or via IIS so that the account you are testing with does
have read. The logins you see for IUsr_ and Network Service
are likely from spinning up IIS backside support on first hits
on the /test site, and your not seeing login failure messages
most likely means that the login was successful. If permissions
on /test/test.html do not allow access by your authenticated test
user account then IIS will reprompt for an account that does.
Could that be what is happening? Likely not as you have said
that all works if you enable integrated authentication, with the
precise same test setup, right?
Let us know if above assumptions are correct, OK? We can
then look at what is left, if we can figure what it is.

Roger

"Jude Fisher" <JudeFis...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7B8342C2-2804-4B57-ACE2-457352396425@xxxxxxxxxxxxxxxx
Roger,

I've set up the test directory as described in my first post. I'm then
trying to access the page (http://localhost/test/test.html) through
internet
explorer. I get a windows log in box as a prompt. As you can imagine, I've
tried every possible combination of things but I'm mostly trying with
COMPUTERNAME\USER and the password. The password is for the moment set to
something absurdly simple so I'm sure it's not a problem with that.

I've enabled failure logging and tested a regular remote desktop log in to
verify the failure is being recorded (it is). When I attempt to access the
directory above, however, I don't get a failure audit. I don't get any
event
at all for the user I'm trying to log in with. What I do get is a success
audit for the IUSR account (even though anonymous access is turned off and
I
am denied access to the page I'm trying to get to). Some details from that
success audit:

User Name: IUSR_XXXXXXXXXXXXXXXX
Domain: XXXXXXXXXXXXXXXX
Logon ID: XXXXXXXXXXXXXXXX
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: XXXXXXXXXXXXXXXX
Logon GUID: -
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: XXXXXXXXXXXXXXXX
Caller Process ID: 184
Transited Services: -
Source Network Address: -
Source Port: -

I actually get two (identical) success audits for this account, and a
success audit for the NETWORK_SERVICE account, but it is as if the attempt
to
log in through the username/password box just never happened.

Not sure if any of that is useful but any help would be appreciated.

Thanks for your time so far.

Jude Fisher

"Roger Abell [MVP]" wrote:

How are you trying to log in? With domain\account when
using a domain account ?? The auditing settings are in the
Local Security Policy which you will find in Administrative
Tools (though domain policy may be controlling).

"Jude Fisher" <JudeFis...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1E3B299-F273-44FF-B61E-7DAC0CEF25AB@xxxxxxxxxxxxxxxx
Roger,

Thanks for replying.

The event log doesn't appear to be recording failures. How would I turn
that
on?

Thanks again.

Jude Fisher

"Roger Abell [MVP]" wrote:

Have you looked into the security event log, assuming that it
is configured to record login failures?
You will probably see a unknown account or bad password
event message, indicating the account that the domain.
This last is probably not correct if the login attempt did not
use domain\account syntax in the login attempt, where domain
might need to be the local machine name of the webserver if
domain account is not in use.

"Jude Fisher" <JudeFis...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6CF2177C-D68E-46CD-A95D-1FF4D51BC8C0@xxxxxxxxxxxxxxxx
Hi,

I'm a developer rather than a server tech and I've run into some
problems
configuring a website.

An external provider we're using requires that a specific script be
in
a
directory that is protected by Basic Authentication. This isn't
something
I've had to do before so I've been stumbling along following the KB
instructions. I've set up a test directory but I can't seem to get
authentication working properly. Here are the details:

I'm running IIS 6 on Windows Server 2003 with Asp.Net 1.1 and 2.0
both
installed.

The directory is configured with regular read priveleges, no scripts
or
executables for the moment. The page inside the directory that I am
using
for
testing is just a plain html page with one line of text in it.

The directory is configured in IIS with only Basic Authentication
checked
(Anonymous access, digest and integrated access are all cleared) and
the
domain and realm fields are empty.

I have a limted access account I want to use for this but for
testing
I've
also tried my administrator account, which has priveleges to the
folder
and
also local log on priveleges for the machine. Problems are
consistent
whichever account is used.

The error occurs whether I'm connecting remotely or (through remote
desktop)
via localhost, which should rule out any proxies.

The error returned is HTTP Error 401.2 - Unauthorized: Access is
denied
due
to server configuration.

*IMPORTANT* (I'm hoping this points directly to the problem!) - If I
check
the integrated authentication box in the IIS security configuration,
suddenly
the log in works. If I clear it so only basic is checked, it breaks
again.

Thanks in advance for any assistance.- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Can login domain be set to a default?
    ... need for specifying a login domain. ... accounts of the IIS box (and the login process needs a way to ... cannot specify a default domain for Windows integrated authentication ... > The internal domain for the three servers is different than the web site ...
    (microsoft.public.windows.server.security)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... Just as a check I used NET USER /ADD on my test account and as expected ... The password dialog is supposed to appear for Basic authentication ... Thinking more esoterically now -- what are the login rights assigned ... IIS uses a specific login type, ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 5 Authentication problem- solved
    ... Tom Kaminski IIS MVP ... Can you log in using an administrator account, ... >> Subject: Re: IIS 5 Integrated Windows Authentication ... >> case there is no group, it is just the one server, ...
    (microsoft.public.inetserver.iis.security)