Windows Authentication in IIS 8.5 - Intermittent 404 Error

0
votes

I'm migrating ASP.NET WebForm 2.0 website from Windows Server 2003 (IIS 6) to Windows Server 2012R2 (IIS 8.5).

The website uses Windows Authentication for internal users.

In IIS 6, Windows Authentication works perfectly.

In IIS 8.5, sometimes Windows Authentication works, users can see the site but sometimes, Windows Authentication doesn't work at all, users see 404 Error ("The webpage cannot be found" error is displayed).

I use Fiddler to watch traffic to the site:

  • Whenever Windows Authentication works, I see web requests have Authorization header as below: Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIAAA………………. (650 characters total)

  • Whenever Windows Authentication DOESN'T work, I see web requests either have no Authorization header or have Authorization header as below: Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== (80 characters total)

Can you advise how to fix this issue? How to make Windows Authentication works consistently in IIS 8.5.

I also notice there are 2 providers in Windows Authentication setting in IIS: - Negotiate - NTML

I've reordered these providers but still having the same issue.

2
asp.netiiswebformswindows-authenticationiis-8
Is the site an intranet? For your two examples, are both machines the same (ex. Win 10 x64, IE 11), or are there any differences?tgolisch
is the second option you mean "Whenever Windows Authentication does not work"Rohith
@RohithRajan: yes, I've updated my question. Thank you.Tuyen Nguyen
@tgolisch: yes, this is intranet site. I use the same machine to access the site.Tuyen Nguyen

2 Answers

3
votes

The Negotiate header comes smaller is part of a feature called NTLM Pre-Auth

Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

So this is a IE client side feature where the client only sends part of the auth header as part of NTLM pre-Auth.This article talks about that. Also I see that your website is not using kerberos only(NTLM token starts with TlRMTV...) .

From the IIS server side , you can Disable kernel mode authentication and verify if it works

  • In the IIS manager Go to the Website
  • Open the Authentication
  • Click on Windows Authentication
  • From the Actions pane(right side) -Open Advanced Settings
  • Un check Kernel mode Authentication disable kernel mode authentication
  • Restart the IIS

It's very strange that you are getting 404 error though.Do you have any requirement in your application that it only works on kerberos(kerberos delegation, double hop etc) ? Normally your application should have a kerberos token unless some basic things are fine

Edit:

As suspected before,it looks like the website was using NTLM instead of going on Kerberos. This is because kerberos cannot work with external domain or Ip address.So it will fall back to NTLM and with NTLM IE might use NTLM pre-Auth . I still do not know 404 error,normally you should get 401 error. Getting 404 might be something application specific.

0
votes

After 3 days of investigation, our web team have realized that this website has 2 bindings in IIS:

  • one binding to internal IP address
  • one binding to external IP address.

They have removed binding to external IP address and the site works perfectly with Windows Authentication.