HTTP 401.1: Delegation Configuration Report

  • Article

HTTP 401 is a common error code you may see in an error page. While 401 has a few sub cases, 401.1 is so common that I guess most web developers experience it in the past. Well, this post will not discuss everything about 401.1 but want to provide a hint if you split your application into several layers (Application and Database for example) and deploy them onto different servers.

It is understandable that in order to achieve better security and performance the approach to split is a good practice, but it makes debugging 401.1 error much harder. Sometimes it is just hard to locate the root cause. Well, if Windows Integrated authentication is enabled and Kerberos protocol is used, then the case is even more complicated. But once you fall into this category, remember that before resorting to others, you can try this useful utility at first to isolate the issue to a narrower bandwidth.

This utility, DelegConfig, can help you analyze both IIS and AD configuration necessary for healthy Kerberos authentication. If there is anything suspicious, it will warn you with a red cross.

If you have no idea how to fix the problems yourself, then you may contact Microsoft Support with the report page so as to get your problem resolved faster.

P.S., it is not yet trivial to install and configure this tool but if you are familiar with IIS and carefully follow the blog post, there should be few road blockers. My tips for using it under IIS 7 Integrated Pipeline includes,

  • Follow this post to get rid of Migration errors 2). Otherwise, a 500 error happens.
  • Make sure that the extracted files and folder are readable by application pool identity (for example, Network Service). Otherwise, another 500 error happens.

When I came across the second 500, I used Process Monitor to monitor w3wp.exe and identify some ACCESS DENIED lines. According to them I can see what to do next.

Before testing this utility, I was still puzzled at Kerberos. But the report page I received helped a lot by combining all necessary information.

P.S. again, under several network setup cases delegation may play a key role. For example,

image

Case 1, Web application and SRS are on the same server while SQL Server is on another.

image

Case 2, Web application is on a server while SQL Server and SRS are on another.