401.2 Troubleshooting for Intranet Websites using Integrated Authentication


Although there are many reasons why IIS might return the http response code of 401.2 ("Unauthorized: Logon Failed due to server configuration") there is one scenario I keep running into which must be solved on the client side rather than the server.  An IIS administrator visits the properties sheet of an internal intranet website, unchecks Anonymous authentication, and confirms that Integrated Windows authentication is selected.  Testing with Internet Explorer, he or she is surprised to see the prompt for username and password.  If the administrator types in valid credentials, the page is given to the client.  If the Cancel button is chosen, however, when prompted for credentials, the browser displays the 401.2 response from IIS.  The reflex reaction of the Administrator might go something like this, "Ohh, it's not the well known 401.3 repsonse, so it must not be an NTFS permission problem on web content.  The lines are kind of blurry between the 401.1 and 401.2 in my mind so maybe it's some complicated kerberos problem."

When using integrated authentication we would expect the IIS logs to show a 401.2 (or 401 2 rather) for the initial client request.  The client is going to attempt to authenticate anonymously at first.  IIS will respond to the client saying something like, "Sorry but I'm not configured to allow anonymous requests.  Try either NTLM or Kerberos next time." The client tries again using NTLM or Kerberos (it's the clients choice at this point) and if the 401.2 is still being issued, one piece of low hanging fruit to reach for involves not the server but the client.

First I'd focusing on which zone IE says the site is in--Internet zone? Local Intranet zone? Trusted sites? Presumably you'll want an intranet site in the Local Intranet zone. But if there are "dots" in the address (example: http://accounting.intranet.local) then perhaps you may see that IE is thinking it is part of the Intranet zone instead.  Expand the Tools menu of IE, select Internet options, and settle on the Security tab. 

Highlight the icon for Local Intranet and click the Custom Level button. When the window entitled "Security Settings - Local Intranet Zone" opens, scroll to the bottom of the window and consider the four options for "Logon."  IS the bullet beside "Automatic logon only in Intranet Zone?" Perhaps it should be.  Or is it beside "Automatic logon with current user name and password?"  That should work well too.  Either of the other two options may not be a good idea for an intranet site using integrated authentication. Adjust if desired.

While the Local Intranet icon is still highlighted, click the Sites button. Click the Advanced button. Consider typing in the address of the intranet site into the field labeled "Add this website to the zone:" and click the Add button.  If you're unable to do this, your workstation may have these settings dictated by group policy.

When the website is added to the local intranet zone list and when the client is set to automatically provide credentials when browsing sites found in the local intranet list, the 401.2 often goes away.  The client simply wasn't set to present the credentials to IIS.



Comments (0)

Skip to main content