Previous Next

• 07-31-2008, 1:14 PM

  ncruz Joined on 07-31-2008, 4:39 PM Posts 9

  Authentication Problems while using ARR+URL Rewrite in IIS 7.0 Reply Contact Hello everyone, I'm setting up a machine to become the router in my intranet. It's running Windows Server 2008 and IIS 7.0 with ARR and URL Rewrite Module to do the necessary routing and load balancing. I'm trying to access one of the machines running a Sharepoint Server (making sure it goes through the router) and I'm getting HTTP 401 error. Accessing the sharepoint machine from the router grants me access but if I try the same credentials from another machine and force it to go through the router, then the HTTP 401 error appears. I'm searching for a solution for this problem. Is this the typical "double-hop issue"? Can this be solved using NTLM for authentication or is kerberos mandatory? Can anyone point me to a kb or instructions on tackling this scenario? I tried enabling ASP.net Impersonation in the Router but only got HTTP 500.24 response errors. Also tried to add the following lines to the web.config file in the default website but to no use: <identity impersonate="true" /> <validateIntegratedModeConfiguration="false"/> <windowsAuthentication enabled="true" useAppPoolCredentials="true"/> More information on the machines, Router: Windows Server 2008, IIS 7.0, Windows Authentication only; Default website with the same auth enabled. ARR + URL Module redirect/rewrite correctly. Sharepoint: MOSS 2007, Windows Authentication and Integrated Windows Authentication; IIS 6.0 with Windows Authentication enabled. Thanks in advance, Nuno Cruz

• 07-31-2008, 1:20 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 1,223

  Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0 Reply Contact First of all, unless you need to do authorization on the router machine, you should turn off windows auth on it and only enable anonymous auth - this will make ARR just pass the challenges/credentials along to the backend machine.  Second thing, ARR TP1 has known issue working with NTLM because NTLM requires 1:1 connection mapping between client and backend connections which we do not do currently, but things should be ok if you kerberos (make sure that the SPN for the hostname you are using is assigned to the sharepoint machine and not the router machine). Anil Ruia Senior Software Design Engineer IIS Core Server

• 07-31-2008, 2:11 PM

  In reply to

  ncruz Joined on 07-31-2008, 4:39 PM Posts 9

  Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0 Reply Contact Thank you for the quick reply. Unfortunately disabling Windows Auth, in my scenario, will immediately prompt me with a 502 Bad Gateway (subcode 3) message error upon entering the credentials. I hasn't aware of the ARR issue with the NTLM authentication, thank you for pointing that out. This leaves me with kerberos as a mandatory path in search for a solution at this time. If more input could be available I would be gratefull. Best regards, Nuno Cruz

• 07-31-2008, 4:04 PM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 1,223	Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0 Reply Contact Can you share failed request tracing log for the case when you get 502.3 - passing authenticated requests through ARR is something that is not really tested for tech preview 1 and there are probably issues that will be fixed in the next release. Anil Ruia Senior Software Design Engineer IIS Core Server

• 08-06-2008, 7:44 AM

  In reply to

  ncruz Joined on 07-31-2008, 4:39 PM Posts 9	Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0 Reply Contact Yes I can. Provide me with an email address and I'll glady send it. I'm still battling with kerberos over ARR but it's probably me being unfamiliar with kerberos.

• 08-06-2008, 10:23 AM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 1,223	Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0 Reply Contact My e-mail address is anil (dot) ruia (at) microsoft (dot) com Anil Ruia Senior Software Design Engineer IIS Core Server