IIS 7 and Above
Windows Authentication: WebResource.axd 401 2 5 0
Last post Sep 30, 2019 02:59 AM by Yuk Ding
Sep 26, 2019 03:15 PM|ivan.barraza|LINK
We have an asp.net intranet website (.Net Framework 4.7.2) that uses Windows Authentication on a Server 2016 server. An alias "midasuat" was created for the server and it was added to the site as a Site Binding;
Type: http Host Name: blank Port: 85
Type: http Host Name: midasuat Port: 80
When we access the site anywhere from our network, it works just fine. The users are automatically authenticated and are not prompted for their credentials.
As soon as we point the alias to a load balancer using https which in turn redirects traffic to our http site, all heck breaks loose. The user is authenticated, but the site starts prompting users for their credentials multiple times in each site page as
it tries to access its resources (images, etc.). Reviewing the IIS logs, it appears that the user id is missing whenever the log item has a 401 and contains the user id when the log item has a 200. What would cause the user id to be missing on the 401 item
records? For example,
2019-09-26 13:59:49 10.223.9.162 GET /WebResource.axd d=JkAB5ka8negpT8ybXEQZMXxXI9mJWpZWmTkEkbVZKeZS16GTozxIRs469PerGU9KNENukSCIt4T3de2k-mfoqglRegUjKAtpRzZSb47vMohrCg1scSa6bDZuAqEyj2CHJ4ivP3z6y-gKMxyiqY8BMg2&t=635918956660000000 85
- 10.223.7.27 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/77.0.3865.90+Safari/537.36 https://midasuat.company.com/Default.aspx 401 1 2148074248 0
2019-09-26 13:59:49 10.223.9.162 GET /WebResource.axd d=b8adWYak0tImLef4A3fc9VL8hsWyhp8x_X-Sv_mxjx9SgprVPmtmNrBh5mzsC_dOstvN1diFs3YXDKg6hYJqiFV_BkYSjpInbOH15qNFyLksqiHpzwNbq7jrOarxSpaLxB9wocMYNgiG-e2_hp56sA2&t=635918956660000000 85
Company\userID 10.223.7.27 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/77.0.3865.90+Safari/537.36 https://midasuat.company.com/Default.aspx 200 0 0 0
Any and all assistance is greatly appreciated. Thank you.
Sep 26, 2019 10:51 PM|lextm|LINK
Ask your domain administrators to help analyze Kerberos related settings. Advanced topics like that cannot be answered easily.
Sep 27, 2019 08:33 AM|Yuk Ding|LINK
2148074248(0x80090308) means token supplied is invalid. It seems that this issue happened when the server authenticate Kerberos ticket from LDAP. May I know what load balance are you using? hardware load balance or ARR load balance?
MS network monitor would help you trace Kerberos authentication.
Sep 27, 2019 03:02 PM|ivan.barraza|LINK
Our site is hosted in AWS and the load balancer is also AWS's.
Sep 30, 2019 02:59 AM|Yuk Ding|LINK
Have you checked Kerberos authentication via network monitor? I think you may need to involve both AWS support engineer and IIS support engineer for a live meeting.