We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Error HTTP Error 401.1 - UnauthorizedRSS

2 replies

Last post Feb 01, 2019 11:18 AM by LMS-BR

  • Error HTTP Error 401.1 - Unauthorized

    Jan 31, 2019 08:14 PM|LMS-BR|LINK

    Hi everyone, 

    I having un problem with authentication integration. My principal Website is the Default Web works without Bind. Below the Default WebSite, there is many virtual directory and application The sites open bacause the DNS request. When i add the Binds for Http and Https the applications below default web site (I.E mywebsite.com/XYZ) application XYZ stop authentication. I followed many steps about create spn for http for the website (mywebsite.com) for using machine account and domain user accout. But i dont have success. you have any ideais about what happening? The principal site (myswebsite.com) works fine

    The message erro from xml failed request tracing rules is:

    ModuleName WindowsAuthenticationModule

    Notification 2

    HttpStatus 401

    HttpReason Unauthorized

    HttpSubStatus 1

    ErrorCode 3221225581

    ConfigExceptionInfo Notification AUTHENTICATE_REQUEST

    IIS tracing Log erros

  • Re: Error HTTP Error 401.1 - Unauthorized

    Feb 01, 2019 08:30 AM|Jalpa Panchal|LINK


    An SPN is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each service instance must have its own SPN. A particular service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running. Therefore, a service instance might register an SPN for each name or alias of its host.

    IIs pass the negotiate security header when windows integrated authentication is used to authenticate client requests. negotiate security  header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects Kerberos authentication unless one of the following conditions is true:

    • One of the systems that is involved in the authentication cannot use Kerberos authentication.
    • The calling application does not provide enough information to use Kerberos authentication.

    To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application does not provide a target name, the Negotiate process cannot use the Kerberos protocol. If the Negotiate process cannot use the Kerberos protocol, the Negotiate process selects the NTLM protocol.

    For more information you could see the article:

    How to use SPNs when you configure Web applications that are hosted on IIS



    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
  • Re: Error HTTP Error 401.1 - Unauthorized

    Feb 01, 2019 11:18 AM|LMS-BR|LINK

    Thanks for reply Jalpa


     I don't understand why when i remove binds the authentication in application works fine. But when i add bind in my principal site all applications bellow with windows authentication stop works.

    A few day ago i configure SPN with based with link that you sent. I used two methods.

    First method

    I created SPN for website for using machine account with the command:

    setspn -A http/mywebsite.com myiisserver

    Second Method

    I created SPN for web site for use domain account and then configured the application pool for use domain account.

    setspn -A http/mywebsite.com mydomain\useraccount.

    And after i configured the server and domain account for delegation from active directory.

    Any ideas?