IIS 7 and Above
401.2 unauthorized error in IIS application
Last post Sep 13, 2017 12:20 PM by cloudcould
Sep 13, 2017 02:48 AM|santhiya777|LINK
We are getting 401.2 unauthorized error due to invalid credentials when ever Domain controller is patched and rebooted. To resolve the issue we are doing IIS reset.
IIS application using anonymous authentication with domain account identity
We have 10 DC 's in our environment and IIS application application should pick up other available DC when primary DC is unavailable
can anyone help to resolve this ?
Below is the audit failure message in event log
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: xxxxxxxx
Account Domain: xxxxxxx
Failure Reason: An Error occured during Logon.
Sub Status: 0x0
Caller Process ID: 0x31c0
Caller Process Name: w3wp.exe
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
Sep 13, 2017 03:19 AM|Yuk Ding|LINK
You could use process monitor to filter the w3wp.exe and then it would display the user and path with 401.2 error. Then you only need to grant permission for the specific path. If the authenticated user credential（domain user identity) or application pool
identity doesn't have permission it would report 401.2.
You also need to check whether authorization rule has blocked the user and whether all authentication method has been disabled.
In addition, if you have proxy, please check whether it is a proxy issue. If you were using ssl, you also need to check whether it is an ssl connection issue.
Sep 13, 2017 03:56 AM|santhiya777|LINK
Thank you Yuk Ding , I will look in to those option.
When I enable Failed request trace , I see below warning and do you have any idea about this ?
Sep 13, 2017 12:20 PM|cloudcould|LINK
chances and where you can dig more
authentication : can add exact DC authentication to site acl and app pool identity
impersonate needs to true if your application is having authentication enable
also check authorization since app pool identity might has integrated