views:

139

answers:

2

Since we moved from IIS 7.0 to IIS 7.5 the Windows Authentication doesn't work anymore from remote requests. If I open the website on the webserver everything works fine.

web.config:

<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
        <deny users="?" />
        <allow users="*" />
</authorization>

IIS Settings:

Authentication (enabled): ASP.NET Impersonation, Windows Authentication (all others are disabled)
ApplicationPool: Managed Pipeline Mode -> Classic, Identity -> ApplicationPoolIdentity

Failed Request Trace:

MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName: WindowsAuthenticationModule
Notification: 2
HttpStatus: 401
HttpReason: Unauthorized 
HttpSubStatus: 1
ErrorCode: 2148074254 
ConfigExceptionInfo:  
Notification: AUTHENTICATE_REQUEST
ErrorCode No credentials are available in the security package (0x8009030e) 

Any suggestions?

A: 

Which client are you using? you might be running a client that is trying to pre-authenticate, but in IIS 7 we use Kernel Mode authentication by default which requires a challenge. If that is the case you can disable Kernel Mode auth by selecting the Windows Authentication entry and clicking Advanced Settings, you should see a checkbox that allows you to Disable that for the specific application and it should work if this is the problem.

CarlosAg
After I disable it I will get two FailedTrace Request:1st:Request SummaryUrl http://computername:80/ App Pool AppPoolName Authentication NOT_AVAILABLEUser from token Activity ID {00000000-0000-0000-0A00-0080000000FC} MODULE_SET_RESPONSE_ERROR_STATUS 401.22nd:Request Summary:Url http://computername:80/ App Pool AppPoolName Authentication NTLM User from token domain\username Activity ID {00000000-0000-0000-0C00-0080000000FC} MODULE_SET_RESPONSE_ERROR_STATUS 401.5It looks like the first request is an PreAuthentication but I have disabled the KernelMode.
Dave
We tried it with the following clients with no success, Windows XP (Safari, Firefox, IE) and Windows 7 (Chrome, IE)
Dave
+1  A: 

We had a two-hop problem I think. If I move our SQL/Oracle DB to the server which is running IIS it works.

So here is an article to which describes a solution.

How to configure SQL and IIS for two hop kerberos authentication 2

or SSRS Reportviewer ASP.NET Credentials 401 Exception

Thanks

Dave