1

I'm running into a problem trying to get Windows Authentication working in an environment that uses Microsoft Application Request Routing and was hoping someone might be able to help.

The problem I'm running into is that only some requests are authenticated, while others fail with 401 errors. I have followed the Special Case of Running IIS 7.0 in a Web Farm instructions found at http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx to no avail.

My current server setup looks like the following:

ARR

  • Two servers set up with IIS shared configuration using IIS 7.5 on Windows 2008 R2
  • Anonymous authentication turned on for the Default Web Site

Web Farm

  • Two servers running IIS 7.5 on Windows 2008 R2
  • Three web sites set up using port binding to differentiate between virtual hosts. Ports being used are 8000, 8001, and 8002
  • Application pools for Windows Authentication all use a common domain account
  • SPN added to domain account for http/<virthalhost-name>:<port-number> and http/<virtualhost-name>.<fully-qualified-domain>:<port-number>

The IIS logs show the following when authentication is working/failing. If I understand correctly, all requests should show DOMAIN\User_Name:

2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/stylesheets/techweb.landing.css - 8002 DOMAIN\User_Name ARR-HOST-1-IP-ADDRESS 200 0 0 62
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-right.gif - 8002 - ARR-HOST-1-IP-ADDRESS  401 2 5 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-left.gif - 8002 DOMAIN\User_Name ARR-HOST-IP-ADDRESS 200 0 0 31
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 2 5 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 2148074248 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/application-icon.png - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 2148074248 0
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/user-background-right.gif - 8002 - ARR-HOST-1-IP-ADDRESS 401 1 3221225581 15
2012-11-19 15:03:17 CLUSTER-IP-ADDRESS GET /home/images/building.gif - 8002 DOMAIN\User_Name ARR-HOST-2-IP-ADDRESS 200 0 0 218

Does anyone know what might cause this problem and how I can resolve it?

EDIT

I do see the Negotiate headers being sent to the servers whenever I perform a network capture.

First request /home:

Request

Nothing

Response

Proxy-Support: Session-Based-Authentication
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate

Second request /home:

Request

Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAY....

Response

Proxy-Support: Session-Based-Authentication
WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQ....

Third (and final) request /home:

Request

Authorization: Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJe....

Response

Proxy-Support: Session-Based-Authentication
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate

After the third request, I get the 401 page from IIS.

Steve Platz
  • 173
  • 1
  • 3
  • 9

1 Answers1

2

Get a network packet capture of the failed requests and check the Http request header for the kerberos authentication token. If you are expecting a kerberos token and it isn't present, the issue probably isn't your servers.

I'm assuming you are expecting kerberos because of the SPN checklist.

Refer to the following for more information:

https://serverfault.com/a/440050/20701

Community
  • 1
Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • It seems like you may be onto something there. IE on my computer seems to have issues. However, I tried this out again in a VM and had a few coworkers try to access the site and they were all able to do so without the authentication errors. I'm going to continue looking into this, but wanted to thank you for your input. – Steve Platz Nov 19 '12 at 18:18
  • It looks like I may have been a little premature in thinking it may be an issue with my computer. I've tested in a few other places, and I see the same result: one ore more requests work and another will fail. I've added the relevant data to my question. It looks like I'm sending a Kerberos ticket in the second request as would be expected. – Steve Platz Nov 19 '12 at 18:46
  • If you need SPN support, NTLM will fail due to SPN's are Kerberos-specific. If the issue is the client is falling back to NTLM, that may be due to a number of causes. You may want to drop the Microsoft DelegConfig virtual directory on the server, to see if that also fails to authenticate with Kerberos. – Greg Askew Nov 19 '12 at 20:36
  • Everything works if NTLM is displayed first in the IIS config or if it's the only option turned on. Kerberos seems to be the one failing. Ideally, I'd like to not use NTLM if only because Kerberos is the default and my environment supports it fine when ARR isn't involved. – Steve Platz Nov 20 '12 at 12:14
  • @theplatz: you need to try the Microsoft DelegConfig tool. http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx – Greg Askew Nov 20 '12 at 13:10
  • The DelegConfig tool, while not explicitly telling me the correct answer, led me in the direction of the problem. In my case, I was adding the SPN for the web farm properly, but there was also a cluster IP address sitting on top of the farm that was interfering with everything. So, I had to add the SPN for both the farm name and the cluster name in order for things to work. Thanks for your help! – Steve Platz Dec 04 '12 at 20:47