I'm running into a problem trying to get Windows Authentication working in an environment that uses Microsoft Application Request Routing and was hoping someone might be able to help.
The problem I'm running into is that only some requests are authenticated, while others fail with 401 errors. I have followed the Special Case of Running IIS 7.0 in a Web Farm instructions found at http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx to no avail.
My current server setup looks like the following:
ARR
- Two servers set up with IIS shared configuration using IIS 7.5 on Windows 2008 R2
- Anonymous authentication turned on for the Default Web Site
Web Farm
- Two servers running IIS 7.5 on Windows 2008 R2
- Three web sites set up using port binding to differentiate between virtual hosts. Ports being used are 8000, 8001, and 8002
- Application pools for Windows Authentication all use a common domain account
- SPN added to domain account for
http/and: http/. :
The IIS logs show the following when authentication is working/failing. If I understand correctly, all requests should show DOMAIN\User_Name:
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/stylesheets/techweb.landing.css - 8002 DOMAIN\User_Name ARR-HOST-1-IP-ADDRESS 200 0 0 62
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-right.gif - 8002 - ARR-HOST-1-IP-ADDRESS 401 2 5 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-left.gif - 8002 DOMAIN\User_Name ARR-HOST-IP-ADDRESS 200 0 0 31
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 2 5 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 2148074248 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/application-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 2148074248 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-right.gif - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 3221225581 15
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/building.gif - 8002 DOMAIN\User_Name ARR-HOST-2-IP-ADDRESS 200 0 0 218
Does anyone know what might cause this problem and how I can resolve it?
EDIT
I do see the Negotiate headers being sent to the servers whenever I perform a network capture.
First request /home:
Request
Nothing
Response
Proxy-Support: Session-Based-Authentication
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Second request /home:
Request
Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAY....
Response
Proxy-Support: Session-Based-Authentication
WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQ....
Third (and final) request /home:
Request
Authorization: Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJe....
Response
Proxy-Support: Session-Based-Authentication
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
After the third request, I get the 401 page from IIS.
Answer
Get a network packet capture of the failed requests and check the Http request header for the kerberos authentication token. If you are expecting a kerberos token and it isn't present, the issue probably isn't your servers.
I'm assuming you are expecting kerberos because of the SPN checklist.
Refer to the following for more information:
https://serverfault.com/a/440050/20701
No comments:
Post a Comment