IE keeps asking credentials when access an IIS7.5 web site requires Windows Authentication
This is a Windows 2008 R2 with IIS installed and couple of Sharepoint sites running already. The Sharepoint sites use Windows Authentication, and all these Sharepoint sites working fine.
A new web site was deployed to this server and enabled Windows Authentication (using Kernel-mode), however, IE keeps asking credentials when access this site with https://MyWebServer:8080 or https://MyWebServer.MyDomain.com:8080.
First, we tested basic authentication with domain credentials, it works. Then, we enabled the audit for logon events; unfortunately, we couldn’t find any logon events when accessing the web site neither success nor failure.
To find out more information regarding this, we enable IIS FREB trace, which told us that it was “IIS Web Core” set the 401 with “Access is denied” error message.
Now, we have to revert to the most useful information for troubleshooting Kerberos errors – Network Monitor trace. From the capture, we confirmed that the Kerberos error was KRB_AP_ERR_MODIFIED.
Two common reasons for this error:
1. incorrect DNS setting
2. The ticket was encrypted/decrypted with different keys.
We verified the DNS with netmon, it works as expected. To verify the SPN, we used Ldp utility, we got follow results when query the SPN
Dn: CN=MyWebServer,……..
……
servicePrincipalName (11):
….
HOST/MyWebServer.MyDomain.com ;
HOST/MyWebServer ;
….
Dn: CN=SPS_Service_Account…….
….
servicePrincipalName (18):
……
HTTP/ MyWebServer.MyDomain.com;
HTTP/ MyWebServer ;
……
We could see the HTTP/MyWebServer was registered to the SharePoint service account (Used to run the SharePoint application pool) which is not required for IIS 7+ when using kernel-mode authentication. Then go back to IIS MMC, we found all the SPS sites are using user-mode Windows Authentication which requires SPN to be registered on application pool identity. This is why SPS sites works with Windows Authentication.
The new added site uses kernel-mode Windows Authentication which requires the SPN register on machine account. This conflicts with the SharePoint sites.
And this explains why we get the KRB_AP_ERR_MODIFIED error. When IE access https://MyWebServer:8080, it requests ticket for HTTP/MyWebServer, this is registered on SharePoint service account. IE passes this ticket to the web server. At web server side, IIS tries using the machine account to decrypt this ticket. This definitely failed since it is encrypted with the unexpected key.
To resolve this problem:
1. We used host headers for the new created sites like MySite, add this to the site bindings.
2. Register SPN HTTP/MySite to machine account.
3. Now, we use https://MySite to access this web site.
After that, we have follow SPN configured:
MyWebServer:
HTTP/MySite
HTTP/MySite.MyDomain.com
HOST/ MyWebServer
HOST/ MyWebServer.MyDomain.com
SPS service account:
HTTP/ MyWebServer
HTTP/ MyWebServer. MyDomain.com
And the IIS configured as follow:
|
SPS Site |
MySite |
SPN |
HTTP/MyWebServer registered on SPS service account |
HTTP/MySite registered on machine account MyWebServer |
Binding |
All available IP No host name |
All available IP Host name: MySite |
Windows Authentication |
User-Mode |
Kernel-Mode |
Application Pool Identity |
SPS service account |
What ever |
How to Access |
BTW, we can set useAppPoolCredentials to true if we want use kernel-mode authentication (suggested) with SPN registered on application pool identity. Here is a sample configure.
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
</authentication>
</security>
</system.webServer>
Wei Zhao from DSI team