Thursday, July 13, 2006

Any of you tried that? Well, if you have, you probably encountered some interesting behavior. At least I did.

I'm developing a web application here on the SQL Server Team @ Microsoft that needs to run in an application pool that runs with the identity of a domain user account. The application also uses Windows Integrated Authentication.
For some reason I was not able to access the website from any other place than the local machine, even though I am an admin on the machine. I just kept getting login-boxes, which is equivalent to access denied. After three login attempts it resulted in "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials."

When using Integrated Authentication, IIS is by default configured with two authentication methods: Negotiate (Kerberos) and NTLM, with Negotiate as the primary that is tried first. After burning off a few hours trying to figure this out, I found that in my setup, Kerberos authentication fails, and IIS will not let you access the web site. The same is also true if run the App Pool as a local user, and the server running IIS are not using a WINS or DNS name. It looks like the easiest solution is to disable Kerberos and force IIS to use NTLM. See the MS TechNet article below for how to do that. The blog link below describes another solution to this problem which may be preferable.

So now it works, thanks to these links:


posted on Thursday, July 13, 2006 3:05:15 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [2]