IIS 7 and Above
Error HTTP Error 401.1 - Unauthorized
Last post Feb 01, 2019 11:18 AM by LMS-BR
Jan 31, 2019 08:14 PM|LMS-BR|LINK
I having un problem with authentication integration. My principal Website is the Default Web works without Bind. Below the Default WebSite, there is many virtual directory and application The sites open bacause the DNS request. When i add the Binds
for Http and Https the applications below default web site (I.E mywebsite.com/XYZ) application XYZ stop authentication. I followed many steps about create spn for http for the website (mywebsite.com) for using machine account and domain user accout. But i
dont have success. you have any ideais about what happening? The principal site (myswebsite.com) works fine
The message erro from xml failed request tracing rules is:
ConfigExceptionInfo Notification AUTHENTICATE_REQUEST
IIS tracing Log erros
Feb 01, 2019 08:30 AM|Jalpa Panchal|LINK
An SPN is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN. A particular service instance can have multiple
SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running. Therefore, a service instance might register an SPN for each name or alias
of its host.
IIs pass the negotiate security header when windows integrated authentication is used to authenticate client requests. negotiate security header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects Kerberos
authentication unless one of the following conditions is true:
To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application does not provide
a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.
For more information you could see the article:
How to use SPNs when you configure Web applications that are hosted on IIS
Feb 01, 2019 11:18 AM|LMS-BR|LINK
Thanks for reply Jalpa
I don't understand why when i remove binds the authentication in application works fine. But when i add bind in my principal site all applications bellow with windows authentication stop works.
A few day ago i configure SPN with based with link that you sent. I used two methods.
I created SPN for website for using machine account with the command:
setspn -A http/mywebsite.com myiisserver
I created SPN for web site for use domain account and then configured the application pool for use domain account.
setspn -A http/mywebsite.com mydomain\useraccount.
And after i configured the server and domain account for delegation from active directory.