"Invalid Authentication Headers" with IIS 10 and Windows Authentication

1
votes

I have been struggling with getting Windows authentication to work on IIS10 for a .Net Core API. The error I am getting is 401.2:

You are not authorized to view this page due to invalid authentication headers.

I have made the following configurations:

  1. Only windows authentication has been enabled on the site (Anonymous is disabled)
  2. SPNs have been created for the site and the server has been enabled for delegation.
  3. The application pool is configured to run under a domain account

Both cURL and Postman give me the same result. Interestingly, when I make use of the SwaggerUI on the API directly, I get the expected behavior, but when making external calls (from another server), I get the 401.2 error.

Some additional content from the error is that the Logon Method and Logon User is Not Yet Determined.

How do I resolve this issue?

1
asp.net-coreiisasp.net-web-apiwindows-authentication
How did you make external calls? Are the two sersers under the same domain? - Edward

1 Answers

0
votes

I was under the assumption that Postman and cURL were sending the NTLM credentials/token as a part of the request by default, but was incorrect. I had to enable Failed Request Tracing on IIS and saw that they were trying to make use of anonymous authentication. Apparently Postman does not support NTLM authentication so I made use of cURL and appended the credentials. With this I could get the authentication to work with cURL.