IE keeps asking credentials when access an IIS7.5 web site requires Windows Authentication


 

This is a Windows 2008 R2 with IIS installed and couple of Sharepoint sites running already. The Sharepoint sites use Windows Authentication, and all these Sharepoint  sites working fine.

A new web site was deployed to this server and enabled Windows Authentication (using Kernel-mode), however, IE keeps asking credentials when access this site with HTTP://MyWebServer:8080 or HTTP://MyWebServer.MyDomain.com:8080.

First, we tested basic authentication with domain credentials, it works. Then, we enabled the audit for logon events; unfortunately, we couldn’t find any logon events when accessing the web site neither success nor failure.

To find out more information regarding this, we enable IIS FREB trace, which told us that it was “IIS Web Core” set the 401 with “Access is denied” error message.

 

Now, we have to revert to the most useful information for troubleshooting Kerberos errors – Network Monitor trace. From the capture, we confirmed that the Kerberos error was KRB_AP_ERR_MODIFIED.

Two common reasons for this error:

1.        incorrect DNS setting

2.       The ticket was encrypted/decrypted with different keys.

We verified the DNS with netmon, it works as expected. To verify the SPN, we used Ldp utility, we got follow results when query the SPN

Dn: CN=MyWebServer,……..

……

servicePrincipalName (11):

….

HOST/MyWebServer.MyDomain.com;

HOST/MyWebServer;

….

Dn: CN=SPS_Service_Account…….

….

servicePrincipalName (18):

……

HTTP/ MyWebServer.MyDomain.com;

HTTP/ MyWebServer;

……

We could see the HTTP/MyWebServer was registered to the SharePoint service account (Used to run the SharePoint application pool) which is not required for IIS 7+ when using kernel-mode authentication. Then go back to IIS MMC, we found all the SPS sites are using user-mode Windows Authentication which requires SPN to be registered on application pool identity. This is why SPS sites works with Windows Authentication.

The new added site uses kernel-mode Windows Authentication which requires the SPN register on machine account. This conflicts with the SharePoint sites.

And this explains why we get the KRB_AP_ERR_MODIFIED error. When IE access http://MyWebServer:8080, it requests ticket for HTTP/MyWebServer, this is registered on SharePoint service account. IE passes this ticket to the web server. At web server side, IIS tries using the machine account to decrypt this ticket. This definitely failed since it is encrypted with the unexpected key.

To resolve this problem:

1.       We used host headers for the new created sites like MySite, add this to the site bindings.

2.       Register SPN HTTP/MySite to machine account.

3.       Now, we use http://MySite to access this web site.

After that, we have follow SPN configured:

MyWebServer:

HTTP/MySite

HTTP/MySite.MyDomain.com

HOST/ MyWebServer

HOST/ MyWebServer.MyDomain.com

SPS service account:

HTTP/ MyWebServer

HTTP/ MyWebServer. MyDomain.com

And the IIS configured as follow:

 

 

SPS Site

MySite

SPN

HTTP/MyWebServer

registered on SPS service account

HTTP/MySite

 registered on machine account MyWebServer

Binding

All available IP

No host name

All available IP

Host name: MySite

Windows

Authentication

User-Mode

Kernel-Mode

Application

Pool Identity

SPS service account

What ever

How to Access

HTTP://MyWebServer

HTTP://MySite

 

BTW, we can set useAppPoolCredentials to true if we want use kernel-mode authentication (suggested) with SPN registered on application pool identity. Here is a sample configure.

<system.webServer>

<security>

         <authentication>

                <windowsAuthentication enabled="true" useKernelMode="true"       useAppPoolCredentials="true" />

         </authentication>

</security>

</system.webServer>

Wei Zhao from DSI team

 

 

Comments (2)

  1. Jason Jones says:

    Thanks so much - I have spent a day and a frustrating night fighting with this and, without this article would not have known how to resolve.  I know that the article is old now but it's still relevant (for me at least!)

  2. praviin says:

    browse the url from the machine other than the iis server

Skip to main content