Previous Next

• 06-13-2008, 1:58 PM

  sealy Joined on 06-13-2008, 5:27 PM Posts 16

  IIS 6.0 Integrated Authentication and 500 error Reply Contact I hope this is the correct place. Here is what we have. An IIS 6.0 website set up on a 2003 server. We have the website set to use Negotiate, NTLM. We have SSL required and Integrated authentication is the only checkbox enabled. Kerberos is working. When you go to the website and it is not in your intranet or trusted sites, you are prompted for a password even though you are logged into a computer that is a domain memeber with your domain credentials. That is OK. Not so much of a problem. If you just type in your username and correct password, or another valid username and password from the same domain you can get in. If you enter in your username, but type in an invalid password you will kick off a 401 and receive a total of 3 prompts including the first one that occurred when you first attempted to visit the site. If you change the username to any other valid Active Directory username and a bad password you receive a 500 error. If you type in your current logged in username or another username not in Active Directory (user@anotherdomain.com) you will continue to receive a 401 error up to the expected 3 tries. If you turn off friendly message in IE it states - The local security authority cannot be contacted. We originally discovered this on our SharePoint site and another site was have set up on another server that hosts our internal applications. We set up a clean machine with a clean IIS install and a simple one page site to test. All exhibit the same beahvior. Is this an IE7 issue? Is this an expected behavior and if so, why are we prompted and why is it if we change the user account identity to another valid username a 500 error is thrown?

  Tags: iis 6.0Integrated AuthenticationwebsiteWindows logon500windows server 2003

• 06-13-2008, 5:20 PM

  In reply to

  ma_khan Joined on 03-16-2008, 4:26 PM Posts 369	Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact Check this http://support.microsoft.com/kb/813550  Regards, MA Khan http://www.iisworkstation.com “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• 06-16-2008, 10:12 AM

  In reply to

  sealy Joined on 06-13-2008, 5:27 PM Posts 16

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact Thank you very much for the response. We are not using ISA server nor is the connection over a VPN. We are connecting to the site and we have noticed this behavior on all of our IIS sites. We set up the vanilla site just to make sure it wasn't a configuration error. I have tried one at a time - Integrated Authentication, Digest and finally Basic Authentication. If you try to log on to the site with any valid domain user other than the one you are logged onto your machine with you will receive a 500 error and not a 401 error. This appears to be the same on our SharePoint site as well as a basic web site.

• 06-16-2008, 3:04 PM

  In reply to

  ma_khan Joined on 03-16-2008, 4:26 PM Posts 369

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact It is fine that you are not using ISA and VPN... Did you check the part about the SSL keys?? Regards, MA Khan http://www.iisworkstation.com “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• 06-16-2008, 4:18 PM

  In reply to

  sealy Joined on 06-13-2008, 5:27 PM Posts 16

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact The cert is a 1024 cert and I had require 128 bit encryption checked.  Since this morning I have also turned off require SSL and I get the same results. I have been playing with Fiddler too. When I get the 500 error it is telling me that in the header when I use a valid username there is no www-authenticate header and no Pre-Authenticate header. So IIS has a mini melt down and displays a 500 error instead of sending a 401. Here is the kicker. I have tried thi son domain member machines and a laptop that I have with a clean install of IE6 that is not a member of the domain. I get the same result. When I enter in a valid username, but use a bad password I receive a 500 error and not a 401. If I use a non-valid username, I get three challenges and then finally a 401.

• 06-17-2008, 4:40 PM

  In reply to

  ma_khan Joined on 03-16-2008, 4:26 PM Posts 369

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact Sealy,     Try AuthDiag and see what is the response... I think you will be able to get something out of it... Hope it helps...   Regards, MA Khan http://www.iisworkstation.com “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• 06-17-2008, 4:59 PM

  In reply to

  sealy Joined on 06-13-2008, 5:27 PM Posts 16	Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact Thank you, I will. I downloaded the IIS ResKit yesterday and the authdiag tool. I am goign to try it tomorow to see what I can find out. In the meantime I also have a support case in with Microsoft so hopefully we will have a conclusions very soon. It's probably a checkbox somehwere... :)

• 06-18-2008, 7:19 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 749

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact What type of 401 errors (sub codes) are you getting? There are many different types and all mean different things. Also the win32 status error codes give more information. See this for more information troubleshooting these probelms http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx    Most overused word in IT is 'should' as in 'That should work!?!'

• 06-18-2008, 8:33 AM

  In reply to

  sealy Joined on 06-13-2008, 5:27 PM Posts 16

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact The problem isn't really the 401 errors. We expect the 401 and that is what we want. It's the 500 error that has us befuddled. The expected behavior of integrated authentication (at least form what I can gather) is to prompt 3 times and if a valid username and password are not entered you will receive a 401 error. We have a custom app that displays a password recovery page. The problem is that we are receiving 500 errors if you enter in a valid username other than the one that was pre-authenticated and a bad password. For instance, I am logged in with X@domain.com . I then browse to the site, receive a password prompt because the site is not in my trusted sites list, nor is IE able to place it automatically in my local intranet zone. I then enter in y@domain.com as my username and 'poof' - 500 error. It works fine if I enter in x@domain.com or a@anotherdomain.com . I am trying to find out if this is a 'feature' of IIS 6.0, an IE issue or if it is something else.

• 06-18-2008, 8:42 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 749

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact  I don't understand the need for 3 401 errors. ". Surely you only need 2. What 401 errors are there? Read  the article to make sure you understand it all and you have confirmed that you are all authenticated and authorised just prior to the page with the 500 error. You could set up a static 'hello world' html page that you have to be authorised to see. DO you get a 500 error then? What sort of 500 error is it e.g. 500.x? Things like 'custom apps that do the password recovery' points me to thinking that that is wrong.  Most overused word in IT is 'should' as in 'That should work!?!'

• 06-18-2008, 9:05 AM

  In reply to

  sealy Joined on 06-13-2008, 5:27 PM Posts 16

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact The three prompts are built in ti Integrated Authentication - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true "   Client Authentication Process Unlike Basic authentication, Integrated Windows authentication does not initially prompt for a user name and password. The current Windows user information on the client is used for Integrated Windows authentication. If the authentication exchange initially fails to authorize the user, Internet Explorer prompts the user for a Windows account user name and password, which it processes using Integrated Windows authentication. Internet Explorer prompts the user for the correct user name and password up to three times. If, however, the user has logged on to the local computer as a domain user, then no authentication is required when the user accesses a network computer in that domain. " The custopm application was purchased and works quite well. It has a webpart for SharePoint where remote users who never log in to the domain can see when their password expires. However, we only enabled it for all 401 errors as that is the expected behavior for Integrated Authentication. A 500 error is being thrown from our simple 'Hello World' page. The application is not set up on the site and that is the only page on the site. If we try to authenticate to the page using the y@domain.com we receive a 500 error. So we know it isn't the website. The only page is default.htm. The only authentication that is enabled is Integrated. Very simple and sweet, but can end in a sour note... :)

• 06-18-2008, 9:31 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 749

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact Ummh I still don't understand after the 401 status codes do you think you are authenticated or not? Use AuthDiag to confirm. If it is it passes this to another app (and sharepoint - more complexities *shudder*) and the app grants access to the pages? Do you have any IIS filters?  What do you get in the logs? What 500 subcode error is it? any win32 status logged? Most overused word in IT is 'should' as in 'That should work!?!'

• 06-18-2008, 9:53 AM

  In reply to

  sealy Joined on 06-13-2008, 5:27 PM Posts 16

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact with the 401 errors we are not expecting to be authenticated. We welcome the 401 errors as the user is either entering in a bad password or their password has expired. That is the whole purpose of the custom 401 page. But nevermind that. We now have a one page site. What is supposed to happen is that a domain user logs in via Integrated authentication. However, due to IE not recognizing the site as either in their trusted sites zone or their local intranet zone it doesn't push their credentials. I am guessing it is part of IE security. Regardless, it may not matter. So the user is presented with a prompt to enter in their username and password. If the user enters in their correct credentials then they are given a 200 and go straight through. If the user enters in the incorrect credentials then they are presented with another login prompt. So far so good. Integrated authentication should return the prompt up to 3 times. However, if the user changes their username to another valid domain user account because they are trying to log in with elevated permissions or for whatever reason, then IIS returns a 500 error. Whether or not the user has malous intent IIS should return another 401 error and not a 500. Due to the article on Microsoft's site, that is what we expect. I cannot find any documentation or explanation as to why IIS will return a 500 error when a user enters in a different valid domain user identity in a subsequential login prompt. We have seen this on two production sites and even a test site we set up with a single page.

• 06-18-2008, 10:25 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 749

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact Without the subcodes and other things like authdiag it is difficult to diagnose further.I am not sure about this behaviour. You enter one username/password and then you switch in the middle of the process to another username/password and you get an error.It is linked to the 401.x error. I imagine a 401.2 comes into play and that doesn't get resolved. Well I suppose this could make sense although 500 is questionable. But this is not normal behaviour changing your authorisation based on a previously authenticated session. This might cause windows to get a bi confused. I do tbh question the need for it. Can a user just logoff there user and then login separately as the other user I presume closing down the browser & clearing the cache and entering the ‘other’ username is all ok then? It is just within the same cycle you have problems. Most overused word in IT is 'should' as in 'That should work!?!'

• 06-18-2008, 10:46 AM

  In reply to

  sealy Joined on 06-13-2008, 5:27 PM Posts 16

  Re: IIS 6.0 Integrated Authentication and 500 error Reply Contact No, even if you clear your entire cache, and if you enter in a different username off the bat you get a 500 error. If I clear my cache and browse to the site. Then the first prompt I see, if I enter in a username other than the on eI am logged in with, that is a member of the domain I receive a 500 error. Logging in with another username is quite usefull for testing SharePoint and other websites where you may log in as a less privileged user. Or if you log into CRM as the admin to change some settings. Or really any administration. We log into stations with least privileged accounts and only use admin accounts when needed. We try to stick to best practices, but this is a pain.