IIS7 - Security

Re: Strange authentication problem

qbernard — Mon, 24 Nov 2008 04:19:51 GMT

Check if you got the FREB tracing up.
http://learn.iis.net/page.aspx/266/troubleshooting-failed-requests-using-tracing-in-iis7/

Re: Strange authentication problem

tim.bishop — Fri, 21 Nov 2008 19:38:12 GMT

anilr:
That is just the initial 401 challenge by IIS - are you not seeing any further requests with different sub-status codes/win32 codes?

No, I don't see any further requests other than repeats of that. Usually 3 times before the browser gives up and just displays the 401.

anilr:
Can you enable failed-request tracing and collect some freb logs?

I've enabled that by going to the advanced settings on the site. But it's not logging anything in the directory specified there. Is there anything else I need to do?

Thanks,

Tim.

Re: Strange authentication problem

anilr — Fri, 21 Nov 2008 19:31:29 GMT

That is just the initial 401 challenge by IIS - are you not seeing any further requests with different sub-status codes/win32 codes? Can you enable failed-request tracing and collect some freb logs?

Re: Strange authentication problem

tim.bishop — Fri, 21 Nov 2008 17:51:39 GMT

anilr:

What are the sub-status/win32-status on the IIS logs?

sc-status is always 401

sc-substatus is always 1

sc-win32-status is always 2148074254

Does that help?

Further to that, I created an Application (rather than a Virtual Directory) pointing at the same place and that's working.

Thanks for your help.

Tim.

Re: Strange authentication problem

anilr — Fri, 21 Nov 2008 17:29:39 GMT

What are the sub-status/win32-status on the IIS logs?

Strange authentication problem

tim.bishop — Fri, 21 Nov 2008 16:19:21 GMT

I'm running IIS 7 on Server 2008 Enterprise. The server is a DC running Exchange, although that may not be relevant.

I create a directory called C:\test and put a single file called test.html in it.

Then in the IIS Manager and create a virtual directory under the default site called test and point it at C:\test. Authentication is set to pass through. Then in the authentication section for the virtual directory I enable both Basic and Windows authentication.

I then browse to http://localhost/test/test.html and get my page up. If I try it on another machine I get an auth prompt, enter my login, and then get the page.

This works fine.

Then a while later it stops working. I get repeatedly prompted for authentication and then finally get:

401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied.

And it doesn't work again after that.

If I make a copy of C:\test to C:\test2, and then just edit the test virtual directory to point at C:\test2 it starts working again. For a while. Then it does the same behaviour.

Something must be changing after a period of time. Any suggestions as to what that could be?

Many thanks,

Tim.