Solution 1
This weekend while I was creating a publishing rule for an IIS webpage on our TMG server I noticed a strange behaivour on the IIS server. When you try and open the page through a web browser you get an http authentication window and after you enter your credentials the same http authentication window popups again. After the third iteration the server reports 401 Unauthorized: Access is denied due to invalid credentials.
The problem was solved by changing the order for the authentication mechanisms. We had Negotiate above NTLM and the server had trouble authenticating the users.
To change the order you have to do the following:
- Open IIS and select the website (or directory) that is causing the 401
- Open the “Authentication” property under the IIS header
- Click the “Windows Authentication” item and click Providers
- Change the order and put NTLM on top.
After the change open Command Prompt and do a iisreset /noforce.
The error should be gone and credentials should be working again.
Soution 2
After migrating a web application to a new server, we encountered this server error:
401 – Unauthorized: Access is denied due to invalid credentials. You do not have permision to view this directory or page using the credentials that you supplied.
This happened despite the fact the user is already authenticated via Active Directory.
There can be many causes to Access Denied error, but if you think you’ve already configured everything correctly from your ASP.NET application, there might be a little detail that’s forgotten. Make sure you give the proper permission to Authenticated Users to access your web application directory.
Right-click on the directory where the web application is stored and select Properties and click on Securitytab.
Click on Edit…, then Add… button. Type in Authenticated Users in the Enter the object names to select.
Click OK and you should see Authenticated Users as one of the user names. Give proper permissions on thePermissions for Authenticated Users box on the lower end if they’re not checked already.
Click OK twice to close the dialog box. It should take effect immediately, but if you want to be sure, you can restart IIS for your web application.
Refresh your browser and it should display the web page now.
Solution 3:
An IIS Administrator can fix this issue by re-configuring the IIS authentication settings. To do the administrative changes (i.e. to solve this error) just follow below mentioned steps.
1. Open the IIS Manager.
2. Expand listed sites to open required Sage CRM site and select Authentication Feature.
3. Open Anonymous Authentication to edit credentials.
4. Change Anonymous user identity from Specific User to Application pool identity.
5. Run IISRESET.
It would do the changes in Security Credential of the IIS for that site. After that you can do any administrative changes in Sage CRM in the administrative mode.
Дано: Windows Server 2012 R2
Ошибка: HTTP 401.1 — Unauthorized: Logon Failed при авторизации на сайте (IIS)
Для каких случаев данное решение:
- У Вас IIS версии 5.1 или выше
- Используется доменная аутентификация для сайта (Windows Authentication)
- Вы пытаетесь локально (на той же машине, где находится сам IIS) открыть сайт, у которого применена доменная авторизация
- Вы пытаетесь локально обратиться к сервисам на IIS по доменной авторизации (например, если на этом же сервере установлен кластер 1С, а в серверном коде производится попытка обратиться к сервисам на локальном IIS)
В этих случаях получаем примерно такое сообщение об ошибке:
HTTP Error 401.1 — Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
…
Detailed Error Information:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler 1C Web-service Extension
Error Code 0xc000006d
Requested URL Тут проблемный URL
Physical Path c:\inetpub\wwwroot\ws\hs\
Logon Method Not yet determined
Logon User Not yet determined
В логах сервера также можно увидеть следующее сообщение:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: —
Account Domain: —
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: username
Account Domain: domainname
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: —
Network Information:
Workstation Name: SRV-PRG
Source Network Address: —
Source Port: —
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: —
Package Name (NTLM only): —
Key Length: 0
Как вариант решения: в реестре необходимо указать хост, к которому Вы разрешаете подключаться при помощи доменной аутентификации.
Для этого находим в реестре следующую ветку:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Создаем новый ключ:
— Тип — Multi-String Value
— Имя — BackConnectionHostNames
— В значениях ключа указать нужные адреса.
После настройки — перезагрузите IIS.
Если Вам понравилась статья, пожалуйста, поставьте лайк, сделайте репост или оставьте комментарий. Если у Вас есть какие-либо замечания, также пишите комментарии.
When you need to restrict access to your web application on IIS, any unauthorized users will see the standard 401 Error Page from IIS:
401 – Unauthorized: Access is denied due to invalid credentials. You do not have permision to view this directory or page using the credentials that you supplied.
Often times, though, you want to show your end users a custom error page with specific instructions on what to do. That is certainly a more graceful way of handling the error than just showing the standard windows 401 error page.
If you have the flexibility to setup your own web instances, you might want to try using 302 Redirect instead as it’s much simpler to setup. Otherwise, this is also a viable option, although a bit long.
Steps to Use Custom 401 Error Page in IIS
-
Create an HTML page as our custom 401 page. In this example, it will be called ITNOTA-Custom-401.htm.
For simplicity, we’ll save the file in C:\Temp folder.
-
Next, launch Internet Information Services (IIS) Manager and click on your site on the left pane.
-
Click on Error Pages.
-
On the next screen, you will see a list of default error pages according to its Status Code. In this example, we want to select 401.
-
On the Edit Custom Error Page window, click on the Set… button.
-
Under Set Localized Custom Error Path window, type in the location where the custom 401 HTML page resides in the Directory path box. Only type in the path/folder. The file name itself should be in the Relative file path textbox, then click OK.
-
You should see something similar to this. Click OK again.
-
At this point, we’re done setting up the custom 401 error page. However, unless if you still use the default for other settings, you may run into this error:
HTTP Error 500.19 – Internal Server Error Absolute physical path "c:\temp" is not allowed in system.webServer/httpErrors section in web.config file. Use relative path instead.
If you read the error message, it points exactly at the problem in the configuration, that is in the system.webServer/httpErrors section.
-
In IIS Manager, click on the server on the left navigation pane and click on Configuration Editor
-
In the Configuration Editor, under Section:, click on the drop-down and select system.webServer, then httpErrors.
-
Click on allowAbsolutePathsWhenDelegated, then click on the Unlock Attribute if it’s locked. If it’s already unlocked (no padlock sign), then you’re good. Then click Apply under Actions.
-
Now, click on your site on the left pane of navigation, and also click on Configuration Editor.
-
Repeat the step to get to the system.webServer/httpErrors and set allowAbsolutePathsWhenDelegated to True. Then, click Apply.
-
At this point, depending on your Authentication setting, you should be able to see the custom 401 error page in your browser (if you failed to authenticate). However, if you use Windows Authentication, you might see a 401.2 error page.
HTTP Error 401.2 - UnauthorizedYou are not authorized to view this page due to invalid authentication headers.
Rest easy, we just need to redirect this 401.2 error to our custom 401 error page.
-
Go back to Internet Information Services (IIS) Manager and click on your site on the left
and Error Pages on the right.
-
This time, we create an additional entry for 401.2 error by clicking on the Add… link under Actions on the right pane. You can duplicate the entry for 401 setup, except this time the Status code should have a value of 401.2. Click OK.
-
Now you should see the list in your Error Pages windows similar to this.
That’s all there is to it.
As a test, we can try to load the page and when prompted to type in the a credential, you can leave it blank and click the Cancel button.
If you purposely fail the authentication to access your test website, you should see your custom 401 error page is displayed in your browser now.
Yes, it’s almost like an anti-climax to see a plain custom 401 error page being displayed. I hope you can come up with a much better design than my example to make all the effort worthwhile.
If you go to your web folder, you will see a web.config file, and your configuration is saved there:
<httpErrors allowAbsolutePathsWhenDelegated="true">
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" prefixLanguageFilePath="c:\temp" path="ITNOTA-Custom-401.htm" responseMode="File" />
<error statusCode="401" subStatusCode="2" prefixLanguageFilePath="c:\temp" path="ITNOTA-Custom-401.htm" responseMode="File" />
</httpErrors>
</system.webServer>
This setting for a custom 401 works for both ASP.NET and Classic ASP.
Further Reading
How to Customize 401 Error Page with 302 Redirect on IIS
How to Fix Access Denied (401) Error in Microsoft IIS
Custom 401 page in IIS with ASP.NET
Error: Vault Pre-check fails on TestASPNet.aspx – IIS shows absolute physical path is not allowed
500.19 error in IIS7 when an error occurs
Windows Authentication not working on local IIS 7.5. Error 401.1: An In-Depth Explanation of the Causes and Solutions
Introduction
Windows authentication is a widely used authentication method in web development, which allows users to access websites with their Windows credentials. However, when implementing it on local IIS 7.5, an error 401.1 can occur even if the basic steps are followed. In this article, we will provide an in-depth explanation of the causes and solutions for this issue.
Causes of Error 401.1 in Windows Authentication
1. Lacking Windows Integrated Authentication
The first cause is lacking Windows integrated authentication. If your IIS installation does not have Windows integrated authentication, you will get error 401.1 when attempting to log in using Windows credentials. To fix this, you need to enable Windows integrated authentication.
2. Disabled Anonymous Authentication
Another possible cause of the 401.1 error is disabling anonymous authentication. If you have disabled anonymous authentication, users will not be able to access your website even with proper login credentials. To solve this, make sure to enable anonymous authentication in the IIS settings.
3. Incorrect SPNs for Kerberos
If you are using Kerberos for Windows authentication, incorrect SPNs can cause the error 401.1. A service principal name (SPN) is a unique identifier that identifies an account in your domain. If it is not set up correctly or if it has not been registered properly, users will still be prompted to enter their credentials even after providing them.
4. Wrong Group Membership
If a user does not belong to the group allowed to access the website, they may receive an error 401.1 despite having entered valid login credentials. Ensure that users are members of the correct groups to allow them to access the website.
5. Wrong Machine Key Size
The key size can cause errors with Windows authentication. The solution is to increase or decrease the key size depending on the version of IIS used. To solve this issue, set the key size in the applicationHost.config file using a registry value or use the «Set-WebConfigurationProperty» command in PowerShell.
6. Wrong Authentication Method
Users may use an incorrect authentication method, which can cause error 401.1. Ensure that your IIS installation uses Windows authentication by specifying it correctly. You can do this through the web.config file using «authentication mode=»Windows».
Solutions to Error 401.1 in Windows Authentication
1. Enabling Windows Integrated Authentication
If you are encountering error 401.1 because of a lack of integrated authentication, you need to enable it for your IIS instance. This can be done through the following steps:
- Open your IIS Manager console and navigate to «Authentication» under IIS Settings.
- Select the «Anonymous Authentication» section and click the «Edit» button.
- Enable Windows integrated authentication by ticking the box next to «Windows Integrated Authentication».
- Click «OK» and then «Apply».
2. Enabling Anonymous Authentication
If you have disabled anonymous authentication, follow these steps:
- Open your IIS Manager console and navigate to «Authentication» under IIS Settings.
- Select the «Anonymous Authentication» section and click the «Edit» button.
- Click on «Enable» for anonymous authentication to re-enable it.
- Click «OK» and then «Apply».
3. Correcting SPNs for Kerberos
If you have incorrect SPNs, follow these steps:
- Open the command prompt and type «ksetup list» to view your registered SPNs.
- Type «ksetup add -setrealm -add -add » where you replace SPN name, fully qualified domain name, and fully qualified service class with the correct values.
4. Adding Users to Groups
Users must be added to the correct groups to access the website. To do this, follow these steps:
- Open the «Users and Computers» snap-in in the Active Directory Users and Computer console on your domain controller or the server with which you want to work.
- Expand «Groups,» right-click on the group allowed for accessing your web site, click properties.
- Add users or other groups to the members list.
- Click Apply and OK to save changes.
5. Adjusting Key Sizes
The key size can cause issues with Windows authentication. To adjust the key size, follow these steps:
- Open «IIS Manager» from the Start menu and select «Application Pools».
- Select an application pool or create a new one and click «Edit.»
- On the Advanced tab, set the «Key Size» value to either 1024 or 2048, depending on your IIS version. Click OK to save changes.
6. Setting Authentication Methods Correctly
Set up Windows authentication by specifying it correctly in your web.config file using the «authentication mode=»Windows»» parameter. To set this parameter:
- Open Notepad or another text editor.
- Create a new file called Web.Config with XML formatting and add the following code:
<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
</configuration>
Save the file, then copy it to your site’s directory, usually «inetpub\wwwroot» by right-clicking on the file and selecting «Copy.» Finally, paste it into your site’s directory.
Conclusion
In conclusion, error 401.1 in Windows authentication can be caused due to lacking integrated authentication, anonymous authentication disabling, incorrect SPNs for Kerberos, wrong group membership, and a mismatch in key size. To solve this issue, it is essential to review the listed causes, apply them correctly, and follow the corresponding solutions.
FAQs
Q: How do I fix error 401.1? A: Error 401.1 can be caused due to lacking integrated authentication, anonymous authentication disabling, incorrect SPNs for Kerberos, wrong group membership, and a mismatch in key size. It is essential to review the listed causes and follow the corresponding solutions.
Q: What is Windows Integrated Authentication? A: Windows integrated authentication is an authentication method that allows users to access websites with their Windows credentials.
Q: How do I enable integrated authentication? A: You can enable it by enabling «Windows Integrated Authentication» in the «Anonymous Authentication» section of the «Authentication» page in IIS Manager or by setting «authentication mode=»Windows»» in your web.config file using the «Set-WebConfigurationProperty» command in PowerShell.
Q: What is a SPN? A: A service principal name (SPN) is a unique identifier that identifies an account in your domain.
Q: How do I add users to groups? A: To add users or other groups to the members list, follow these steps:
- Open the «Users and Computers» snap-in in the Active Directory Users and Computer console on your domain controller or the server with which you want to work.
- Expand «Groups,» right-click on the group allowed for accessing your web site, click properties.
- Add users or other groups to the members list.
- Click Apply and OK to save changes.
Q: How do I adjust key sizes? A: To adjust the key size, follow these steps:
- Open «IIS Manager» from the Start menu and select «Application Pools.»
- Select an application pool or create a new one and click «Edit.»
- On the Advanced tab, set the «Key Size» value to either 1024 or 2048, depending on your IIS version. Click OK to save changes.
This weekend while I was creating a publishing rule for an IIS webpage on our TMG server I noticed a strange behaivour on the IIS server. When you try and open the page through a web browser you get an http authentication window and after you enter your credentials the same http authentication window popups again. After the third iteration the server reports 401 Unauthorized: Access is denied due to invalid credentials.
The problem was solved by changing the order for the authentication mechanisms. We had Negotiate above NTLM and the server had trouble authenticating the users.
To change the order you have to do the following:
- Open IIS and select the website (or directory) that is causing the 401
- Open the “Authentication” property under the IIS header
- Click the “Windows Authentication” item and click Providers
- Change the order and put NTLM on top.
After the change open Command Prompt and do a iisreset /noforce.
The error should be gone and credentials should be working again.