Cannot authorize with different server name

Question

Hi all

I have a web service running in IIS 6.0 on Windows 2003. It's authentication mode is Integrated Windows security (anonymous disabled), and authorization is done with Authorization Manager and an XML authorization store. My test user is a domain user (admin, actually) with membership in an authorized role.

I am testing this (for now) on the web server (localhost), and using (for now) Internet Explorer to access the web service (.asmx).

I can successfully open the web service (wsdl) page through localhost, like this:

http://localhost:8080/MyService/MyService.asmx

Using this url, integrated windows authentication succeeds (silently), and I am sucessfully authorized by AzMan to access the service. The same goes for the server name:

http://myserver:8080/MyService/MyService.asmx

Now I need to use the external host name (www.mysite.no) to access the service (this in order to get ssl to work with a certificate issued to that sitename). To do this, I add the host name to my HOSTS file, like this:

127.0.0.1   www.mysite.no

...then type this into IE:

http://www.mysite.no:8080/MyService/MyService.asmx

What happens then is that authorization fails. I get the IE/Windows login box and enter my correct credentials three times. Then I get a 401.1:

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Internet Information Services (IIS)

How is authorization through AzMan influenced by the host name?

Edit: I have reason to believe AzMan has nothing to do with it - it seems to be the authentication that fails.

I have reproduced the problem on another server. The essence seems to be that accessing localhost via an entry in the local host file somehow messes up the integrated windows authentication between the browser and IIS.

I have worked around the problem, now my curiosity is all that's left...

Answer 1

My first guess is that it's not the host name.

The first thing to do is narrow down the problem as there are a couple things that could be going wrong.

First set the IIS site to anonymous access, and make sure you can pull up the web service. That will verify that you're accessing the right IIS web site and it's truly narrowed down to an authorization problem.

Also, check the Application Pool credentials, and the security settings on the file folder containing the web service as these could be contributors.

Answer 2

Enable audit login failure auditing & check the security event log on the host.
1) On the webserver, go to Control Panel, Administrative Tools, Local Security Policy. 2) Go to local policies, audit policy. Add failure for 'audit logon events'.
3) Close the MMC. Open a command prompt and type gpupdate. 4) browse to http://www.mysite.no. You will get the error again. 5) Launch event viewer (control panel, admin tools, event viewer). Navigate to the security event log and look for the login failure(s).They shoudl tell you something descriptive, like 'the user has not been granted the specified logon type'. Unfortunately the login type itself is not descriptive; logon type 2 is interactive (locally), 3 is 'access this computer over the network', 5 is 'logon as a service' (NT service, not WCF service). The rights required can be granted in the local security policy.

Also, check to see if you have a proxy enabled in IE. If your traffic is being routed to the proxy, it is possible that the proxy does not support NTLM. Add the host as a proxy exception while you test using IE.