Windows Authentication not working in IIS 7.5

28
votes

I am having a problem with getting windows authentication to work on IIS 7.5. The application is an internal site built in asp.net MVC 3. The application pool is using a specific domain user and the site is using windows authentication. Every time I try to launch the site IE prompts me for a login.

If I cancel enough the site comes up, messed up looking, but it has my name associated with my windows log in displayed at the top. So that tells me that the site is picking up my windows credentials correctly.

I added the Network local user to have read access to the inetpub folder on the server and now it doesn't prompt for login with IE 8. But on chrome I get this error "Error 338 (net::ERR_INVALID_AUTH_CREDENTIALS): Unknown error.".

It is in our intranet sites zone. I should have stated this but I forgot. The site used to work on our old development server but when I upgraded to Win 2008 R2 with IIS 7.5 it stopped working. Used to be on 2003 with IIS 6.0.

I am wondering if any one has any idea what else I can try. I am pretty much spinning my wheels at this point.

I have tried all of the solutions in the links below and none of them have fixed the problem

http://forums.iis.net/t/1177154.aspx

http://forums.iis.net/t/1178188.aspx

Receiving login prompt using integrated windows authentication

http://warnajith.blogspot.com/2011/06/iis-75-401-unauthorized-access-error.html

http://forums.asp.net/t/1639511.aspx/1

https://superuser.com/questions/128746/iis-asks-for-login-pass-when-accessed-using-hostname-but-not-when-localhost-is

http://ask.metafilter.com/183636/Prompted-for-a-username-and-password-when-browsing-to-an-IIS-virtual-directory

IIS 7 and Windows Authentication

7
asp.net-mvc-3c#-4.0iisiis-7.5

7 Answers

23
votes

Related Note: If you are trying to replicate your site on localhost, and windows authentication is enabled and still fails, the solution is some registry hacking to avoid the loopback check:

Using regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 Add a new Multi-String Value to MSV1_0 and name it BackConnectionHostNames Add the host names you wish to use. Example, "mysite.com". Restart the IIS.

Source link

The value should be the website name in your windows hosts file.

Also to be able to access a non-authenticated /data folder using PHP's file_get_contents, I had to add this to the applicationHost.config file, to prevent 401 errors.

<location path="mysite.com/data">
        <system.webServer>
            <security>
                <authentication>
                     <anonymousAuthentication enabled="true" />
                    <windowsAuthentication enabled="false" />
                </authentication>
            </security>
        </system.webServer>
    </location>
18
votes

I found the answer to this. It is a config setting that isn't mapped in the GUI. I had to go into the application host config file located at <%SystemDrive%>/Windows/System32/inetsrv/config and change the below settings.

default settings where

<windowsAuthentication enabled="true"> <providers> <add value="Negotiate" /> </providers> </windowsAuthentication>

Changed to this and it worked.

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true"> <providers> <add value="NTLM" /> </providers> </windowsAuthentication>

6
votes

In order for integrated credentials to be passed by IE, the site needs to be in your Intranet sites zone. It cannot be in trusted sites or any other sites.

2
votes

I had a similar problem and it was fixed by adding the users group (MYDOMAIN\Users) to the physical folder of the application with read permissions.

2
votes

i have a similar problem that is only solved by moving NTLM on top of kerberos in the providers as explained by Rory, or by modifying DNS. The problem only occurs in IIS7 when the host header of the website exists as a CNAME (alias) in the DNS. in IIS6, Integrated Windows Authentication only uses NTLM by default. in IIS7, IWS uses kerberos before NTLM by default. Replacing the CNAME record with an A record solves the problem. Kerberos has no problems with A records in DNS, but it has problems with aliases.

So apparantly DNS CNAMEs are not compatible with kerberos on Windows 2008.

chris

0
votes

If the browser prompts you for credential, I think your app pool credential don't have access to some of the resources on your page. Have you tried to create a blank html page and access to that page?

<html>
<body>
hello world!
</body>
</html>
0
votes

I have a similar problem.

I had an application under Default Web Site that already had Windows authentication enabled but didn´t worked. I solved disabling anonymous authentication on Default Web Site and also Enabling Windows authentication on Default Website.