Authentication Problems while using ARR+URL Rewrite in IIS 7.0RSS

7 replies

Last post May 09, 2013 04:49 AM by jarrodwee

  • Authentication Problems while using ARR+URL Rewrite in IIS 7.0

    Jul 31, 2008 01:14 PM|ncruz|LINK

    Hello everyone,

    I'm setting up a machine to become the router in my intranet. It's running Windows Server 2008 and IIS 7.0 with ARR and URL Rewrite Module to do the necessary routing and load balancing. I'm trying to access one of the machines running a Sharepoint Server (making sure it goes through the router) and I'm getting HTTP 401 error. Accessing the sharepoint machine from the router grants me access but if I try the same credentials from another machine and force it to go through the router, then the HTTP 401 error appears. I'm searching for a solution for this problem.

    Is this the typical "double-hop issue"? Can this be solved using NTLM for authentication or is kerberos mandatory? Can anyone point me to a kb or instructions on tackling this scenario? I tried enabling ASP.net Impersonation in the Router but only got HTTP 500.24 response errors.

    Also tried to add the following lines to the web.config file in the default website but to no use:
    <identity impersonate="true" />
    <validateIntegratedModeConfiguration="false"/>
    <windowsAuthentication enabled="true" useAppPoolCredentials="true"/>

    More information on the machines,
    Router: Windows Server 2008, IIS 7.0, Windows Authentication only; Default website with the same auth enabled. ARR + URL Module redirect/rewrite correctly.
    Sharepoint: MOSS 2007, Windows Authentication and Integrated Windows Authentication; IIS 6.0 with Windows Authentication enabled.

    Thanks in advance,
    Nuno Cruz

  • Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0

    Jul 31, 2008 01:20 PM|anilr|LINK

    First of all, unless you need to do authorization on the router machine, you should turn off windows auth on it and only enable anonymous auth - this will make ARR just pass the challenges/credentials along to the backend machine.  Second thing, ARR TP1 has known issue working with NTLM because NTLM requires 1:1 connection mapping between client and backend connections which we do not do currently, but things should be ok if you kerberos (make sure that the SPN for the hostname you are using is assigned to the sharepoint machine and not the router machine).

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0

    Jul 31, 2008 02:11 PM|ncruz|LINK

    Thank you for the quick reply.

    Unfortunately disabling Windows Auth, in my scenario, will immediately prompt me with a 502 Bad Gateway (subcode 3) message error upon entering the credentials. I hasn't aware of the ARR issue with the NTLM authentication, thank you for pointing that out. This leaves me with kerberos as a mandatory path in search for a solution at this time.

    If more input could be available I would be gratefull.


    Best regards,
    Nuno Cruz

  • Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0

    Jul 31, 2008 04:04 PM|anilr|LINK

    Can you share failed request tracing log for the case when you get 502.3 - passing authenticated requests through ARR is something that is not really tested for tech preview 1 and there are probably issues that will be fixed in the next release.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0

    Aug 06, 2008 07:44 AM|ncruz|LINK

    Yes I can. Provide me with an email address and I'll glady send it.
    I'm still battling with kerberos over ARR but it's probably me being unfamiliar with kerberos.

  • Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0

    Aug 06, 2008 10:23 AM|anilr|LINK

    My e-mail address is anil (dot) ruia (at) microsoft (dot) com

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0

    Aug 02, 2010 11:26 AM|dandoney|LINK

    I am having the same problems as described above. However, we are required to use NTLM (not Kerberos) – I was reading this thread and was concerned that this may not be possible. Has ARR been updated to work with NTLM for routing where the back-end servers require IWA and cannot use Kerberos? Is there a plan to update it?

    ARR NTLM Integrated Windows Authentication

  • Re: Authentication Problems while using ARR+URL Rewrite in IIS 7.0

    May 09, 2013 04:49 AM|jarrodwee|LINK

    We are having the same problems as well.

    Authentication passes through ARR v2.5 successfully to the server farm when using Kerberos, but NTLM fails.

    Any official word on whether NTLM is supposed to be (or will eventually be) supported?

    ARR NTLM Integrated Windows Authentication