IIS 7 and Above
Application Request Routing (ARR)
Authentication Problems while using ARR+URL Rewrite in IIS 7.0
Last post May 09, 2013 04:49 AM by jarrodwee
Jul 31, 2008 01:14 PM|ncruz|LINK
I'm setting up a machine to become the router in my intranet. It's running Windows Server 2008 and IIS 7.0 with ARR and URL Rewrite Module to do the necessary routing and load balancing. I'm trying to access one of the machines running a Sharepoint Server (making
sure it goes through the router) and I'm getting HTTP 401 error. Accessing the sharepoint machine from the router grants me access but if I try the same credentials from another machine and force it to go through the router, then the HTTP 401 error appears.
I'm searching for a solution for this problem.
Is this the typical "double-hop issue"? Can this be solved using NTLM for authentication or is kerberos mandatory? Can anyone point me to a kb or instructions on tackling this scenario? I tried enabling ASP.net Impersonation in the Router but only got HTTP
500.24 response errors.
Also tried to add the following lines to the web.config file in the default website but to no use:
<identity impersonate="true" />
<windowsAuthentication enabled="true" useAppPoolCredentials="true"/>
More information on the machines,
Router: Windows Server 2008, IIS 7.0, Windows Authentication only; Default website with the same auth enabled. ARR + URL Module redirect/rewrite correctly.
Sharepoint: MOSS 2007, Windows Authentication and Integrated Windows Authentication; IIS 6.0 with Windows Authentication enabled.
Thanks in advance,
Jul 31, 2008 01:20 PM|anilr|LINK
First of all, unless you need to do authorization on the router machine, you should turn off windows auth on it and only enable anonymous auth - this will make ARR just pass the challenges/credentials along to the backend machine. Second thing, ARR TP1
has known issue working with NTLM because NTLM requires 1:1 connection mapping between client and backend connections which we do not do currently, but things should be ok if you kerberos (make sure that the SPN for the hostname you are using is assigned to
the sharepoint machine and not the router machine).
Jul 31, 2008 02:11 PM|ncruz|LINK
Thank you for the quick reply.
Unfortunately disabling Windows Auth, in my scenario, will immediately prompt me with a 502 Bad Gateway (subcode 3) message error upon entering the credentials. I hasn't aware of the ARR issue with the NTLM authentication, thank you for pointing that out.
This leaves me with kerberos as a mandatory path in search for a solution at this time.
If more input could be available I would be gratefull.
Jul 31, 2008 04:04 PM|anilr|LINK
Can you share failed request tracing log for the case when you get 502.3 - passing authenticated requests through ARR is something that is not really tested for tech preview 1 and there are probably issues that will be fixed in the next release.
Aug 06, 2008 07:44 AM|ncruz|LINK
Yes I can. Provide me with an email address and I'll glady send it.
I'm still battling with kerberos over ARR but it's probably me being unfamiliar with kerberos.
Aug 06, 2008 10:23 AM|anilr|LINK
My e-mail address is anil (dot) ruia (at) microsoft (dot) com
Aug 02, 2010 11:26 AM|dandoney|LINK
I am having the same problems as described above. However, we are required to use NTLM (not Kerberos) – I was reading this thread and was concerned that this may not be possible. Has ARR been updated to work with NTLM for routing where the back-end servers
require IWA and cannot use Kerberos? Is there a plan to update it?
Integrated Windows Authentication
May 09, 2013 04:49 AM|jarrodwee|LINK
We are having the same problems as well.
Authentication passes through ARR v2.5 successfully to the server farm when using Kerberos, but NTLM fails.
Any official word on whether NTLM is supposed to be (or will eventually be) supported?