IIS returns 401 for all ASMX requests with Windows Integrated Authentication


 


This problem was first found on a SPS server, and then reproduced with simple ASP.Net application. The initial symptom for this problem is SPS has problem with scrambling. SPS log shows 401 errors for ASMX page which provide scrambling function.  Later, we confirmed that all ASMX pages have the same issue.


 


To isolate the problem, we opened the ASMX page in IE; IE was keeping popup for authentication. And, IE gaves a 401 unauthorized error after 3 times trying. Then, we enabled security audit for failed logon events. However, security log shows all the related accounts were logon successfully. One crazing finding is we could see 200 successfully logged in IIS log after 401, however at client side, IE keep popup authentication window.


 


We followed the loop-back direction as all the calls were local. It doesn’t help as well.


 


Then, we created a simple TXT file under the same folder where ASMX page located, it works fine. Simple ASPX page works as well.


 


At this moment, we were suspecting that the ASMX page is calling other pages, and these pages returned 401. Unfortunately, this is not true.


 


Later, we found the HttpHandlers section in web.config was totally wrong. Follow is a sample for the wrong configuration. Usually, the highlighted “remove” item should be the first line for the section. However, it is the last line now. Under this setting, the handler for ASMP was removed.


 


      <httpHandlers>


        <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>


        <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>


        <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>


                        <remove verb="*" path="*.asmx"/>


      </httpHandlers>


 


The site started working after we move this to the beginning of the section.


 


Then, I managed to reproduce this problem locally. And have follow findings.


 


1.    If we add something like “<remove verb="*" path="*.aspx"/>”, the ASPX have the same issue as well.


2.    IIS logs 200 for the request; however the size of the response is 0. This is a sample where NTLM authentication was used. The last column is cs-bytes.


 


2009-08-13 00:03:48 GET /httphandlertest/WebService.asmx - 401 2 2148074254 1872


2009-08-13 00:03:48 GET /httphandlertest/WebService.asmx - 401 1 0 2136


2009-08-13 00:03: GET /httphandlertest/WebService.asmx FAREAST\wzhao 200 0 0 0


 


3.    Here is the sample where Kerberos authentication was used. Same, sc-bytes was 0.


2009-08-13 00:05:29 GET /httphandlertest/WebService.asmx - 401 2 2148074254 1872


2009-08-13 00:05:29 /httphandlertest/WebService.asmx FAREAST\wzhao 200 0 0 0


 


4.    IE shows “cannot display the webpage” if we set to anonymous authentication. A 200 success request with cs-bytes 0 was logged in IIS log.


 


 


See you next time.


 


Zhao Wei


 

Comments (0)

Skip to main content