|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
security error in IIS logs (401.2 error)I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows Server 2003 w/ SP-1. When I navigate to my site (locally or from another network computer) in Internet Explorer I'm being prompting for a network username/password. I believe have configured the server properly in ISS, have the correct NTFS file permissions, etc. I would really like to know what sc-win32-status 2148074254 refers to (see my IIS log below). Anyone have any ideas? I know that the 401.2 error means "denied by server configuration" and often means a protocol issue between the browser and IIS. I'm not trying to do anything special here, just want to use plain vanilla Windows Authentication. I have anonymous access turned off for my site in IIS (my application requires this) but when I allow anonymous access the error goes away. I have attached my [truncated] IIS log below. Please let me know if you require any additional details about my environment. Any help that anyone can offer would be greatly apprecaited. I'm running out of ideas. Thanks in advance, Alexander ---SOF--- #Software: Microsoft Internet Information Services 6.0 #Version: 1.0 #Date: 2006-06-23 17:04:28 #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET /eProfitStartup.aspx - 80 - 10.34.43.11 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 401 2 2148074254 ---EOF--- After this request, do you see a succesful 200 OK request being logged? The
request line below looks like part of a NTLM authentication handshake. Cheers Ken Show quoteHide quote "Alexander Ferrugia" <Alexander Ferru***@discussions.microsoft.com> wrote in message news:9B020444-0083-4729-8FD0-EC88C6E53D45@microsoft.com... > Hi: > > I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows > Server 2003 w/ SP-1. When I navigate to my site (locally or from another > network computer) in Internet Explorer I'm being prompting for a network > username/password. I believe have configured the server properly in ISS, > have the correct NTFS file permissions, etc. > > I would really like to know what sc-win32-status 2148074254 refers to (see > my IIS log below). Anyone have any ideas? I know that the 401.2 error > means > "denied by server configuration" and often means a protocol issue between > the > browser and IIS. I'm not trying to do anything special here, just want to > use plain vanilla Windows Authentication. I have anonymous access turned > off > for my site in IIS (my application requires this) but when I allow > anonymous > access the error goes away. > > I have attached my [truncated] IIS log below. Please let me know if you > require any additional details about my environment. Any help that anyone > can offer would be greatly apprecaited. I'm running out of ideas. > > Thanks in advance, > > Alexander > > ---SOF--- > > #Software: Microsoft Internet Information Services 6.0 > #Version: 1.0 > #Date: 2006-06-23 17:04:28 > #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query > s-port > cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status > 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET /eProfitStartup.aspx - > 80 > - 10.34.43.11 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) > 401 2 2148074254 > > ---EOF--- > Thanks for the response, Ken:
No, I do not get a 200 OK later in the log (posted in my original message). The first line that you see in the log is repeated over and over with the same error each time anyone attempts to access a page in my ASP.NET application. The only way I can get a 200 OK is if I manually enter in my username/password. It will keep prompting you over and over as you travel to new pages. I initially thought it was being blocked by a proxy on our network. The network guys don't think I should be going through the proxy. I read the following today (see URL) and don't know if it could be describing the culprit.... "Integrated Windows authentication is disabled by default if you install Windows Server 2003 Service Pack 1 (SP1) as part of a slipstream installation of a Windows Server 2003 operating system". I did find out that our build was a "slipstreamed" version of Win2K3 with SP-1, but I don't want to wipe the install, reinstall Win2K3, then install SP-1 over it, only to find out that this isn't going to fix the problem. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true Cheers, Alexander Show quoteHide quote "Ken Schaefer" wrote: > After this request, do you see a succesful 200 OK request being logged? The > request line below looks like part of a NTLM authentication handshake. > > Cheers > Ken > > "Alexander Ferrugia" <Alexander Ferru***@discussions.microsoft.com> wrote in > message news:9B020444-0083-4729-8FD0-EC88C6E53D45@microsoft.com... > > Hi: > > > > I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows > > Server 2003 w/ SP-1. When I navigate to my site (locally or from another > > network computer) in Internet Explorer I'm being prompting for a network > > username/password. I believe have configured the server properly in ISS, > > have the correct NTFS file permissions, etc. > > > > I would really like to know what sc-win32-status 2148074254 refers to (see > > my IIS log below). Anyone have any ideas? I know that the 401.2 error > > means > > "denied by server configuration" and often means a protocol issue between > > the > > browser and IIS. I'm not trying to do anything special here, just want to > > use plain vanilla Windows Authentication. I have anonymous access turned > > off > > for my site in IIS (my application requires this) but when I allow > > anonymous > > access the error goes away. > > > > I have attached my [truncated] IIS log below. Please let me know if you > > require any additional details about my environment. Any help that anyone > > can offer would be greatly apprecaited. I'm running out of ideas. > > > > Thanks in advance, > > > > Alexander > > > > ---SOF--- > > > > #Software: Microsoft Internet Information Services 6.0 > > #Version: 1.0 > > #Date: 2006-06-23 17:04:28 > > #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query > > s-port > > cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status > > 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET /eProfitStartup.aspx - > > 80 > > - 10.34.43.11 > > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) > > 401 2 2148074254 > > > > ---EOF--- > > > > > Let me explain what I think is misunderstood from the URL. It is indicating
that we made anonymous-only websites the default... and NOT that Integrated Authentication is "broken" by default such that you have to do anything other than tick the check box to enable/use it. All we did was change the default of the checkbox from on to off, and you can tick it back on just as easily. Is KeepAlives allowed on your server. What are the Application Pool settings configured for that URL. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Alexander Ferrugia" <AlexanderFerru***@discussions.microsoft.com> wrote in message news:98A1BB53-1656-4F46-9DE4-89472DEE7906@microsoft.com... > Thanks for the response, Ken: > > No, I do not get a 200 OK later in the log (posted in my original > message). > The first line that you see in the log is repeated over and over with the > same error each time anyone attempts to access a page in my ASP.NET > application. The only way I can get a 200 OK is if I manually enter in my > username/password. It will keep prompting you over and over as you travel > to > new pages. > > I initially thought it was being blocked by a proxy on our network. The > network guys don't think I should be going through the proxy. I read the > following today (see URL) and don't know if it could be describing the > culprit.... "Integrated Windows authentication is disabled by default if > you > install Windows Server 2003 Service Pack 1 (SP1) as part of a slipstream > installation of a Windows Server 2003 operating system". I did find out > that > our build was a "slipstreamed" version of Win2K3 with SP-1, but I don't > want > to wipe the install, reinstall Win2K3, then install SP-1 over it, only to > find out that this isn't going to fix the problem. > > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true > > Cheers, > > Alexander > > > "Ken Schaefer" wrote: > >> After this request, do you see a succesful 200 OK request being logged? >> The >> request line below looks like part of a NTLM authentication handshake. >> >> Cheers >> Ken >> >> "Alexander Ferrugia" <Alexander Ferru***@discussions.microsoft.com> wrote >> in >> message news:9B020444-0083-4729-8FD0-EC88C6E53D45@microsoft.com... >> > Hi: >> > >> > I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows >> > Server 2003 w/ SP-1. When I navigate to my site (locally or from >> > another >> > network computer) in Internet Explorer I'm being prompting for a >> > network >> > username/password. I believe have configured the server properly in >> > ISS, >> > have the correct NTFS file permissions, etc. >> > >> > I would really like to know what sc-win32-status 2148074254 refers to >> > (see >> > my IIS log below). Anyone have any ideas? I know that the 401.2 error >> > means >> > "denied by server configuration" and often means a protocol issue >> > between >> > the >> > browser and IIS. I'm not trying to do anything special here, just want >> > to >> > use plain vanilla Windows Authentication. I have anonymous access >> > turned >> > off >> > for my site in IIS (my application requires this) but when I allow >> > anonymous >> > access the error goes away. >> > >> > I have attached my [truncated] IIS log below. Please let me know if >> > you >> > require any additional details about my environment. Any help that >> > anyone >> > can offer would be greatly apprecaited. I'm running out of ideas. >> > >> > Thanks in advance, >> > >> > Alexander >> > >> > ---SOF--- >> > >> > #Software: Microsoft Internet Information Services 6.0 >> > #Version: 1.0 >> > #Date: 2006-06-23 17:04:28 >> > #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query >> > s-port >> > cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status >> > 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET >> > /eProfitStartup.aspx - >> > 80 >> > - 10.34.43.11 >> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) >> > 401 2 2148074254 >> > >> > ---EOF--- >> > >> >> >> "Alexander Ferrugia" <AlexanderFerru***@discussions.microsoft.com> wrote in So you do get a 200 OK if you type in your username/password? But when you message news:98A1BB53-1656-4F46-9DE4-89472DEE7906@microsoft.com... > Thanks for the response, Ken: > > No, I do not get a 200 OK later in the log (posted in my original > message). > The first line that you see in the log is repeated over and over with the > same error each time anyone attempts to access a page in my ASP.NET > application. The only way I can get a 200 OK is if I manually enter in my > username/password. It will keep prompting you over and over as you travel > to > new pages. attempt to load the next page, you get another 401, then you need to enter your username/password again and then you get a 200? Something like: 401 page1.aspx 200 page1.aspx 401 page2.aspx 200 page2.aspx Do you have HTTP keep-alives enabled for this web site/web application? > If there was an intervening proxy, you probably wouldn't be able to load the > I initially thought it was being blocked by a proxy on our network. pages at all. You'd just get 401s all the time. Cheers Ken The Show quoteHide quote > network guys don't think I should be going through the proxy. I read the > following today (see URL) and don't know if it could be describing the > culprit.... "Integrated Windows authentication is disabled by default if > you > install Windows Server 2003 Service Pack 1 (SP1) as part of a slipstream > installation of a Windows Server 2003 operating system". I did find out > that > our build was a "slipstreamed" version of Win2K3 with SP-1, but I don't > want > to wipe the install, reinstall Win2K3, then install SP-1 over it, only to > find out that this isn't going to fix the problem. > > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true > > Cheers, > > Alexander > > > "Ken Schaefer" wrote: > >> After this request, do you see a succesful 200 OK request being logged? >> The >> request line below looks like part of a NTLM authentication handshake. >> >> Cheers >> Ken >> >> "Alexander Ferrugia" <Alexander Ferru***@discussions.microsoft.com> wrote >> in >> message news:9B020444-0083-4729-8FD0-EC88C6E53D45@microsoft.com... >> > Hi: >> > >> > I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows >> > Server 2003 w/ SP-1. When I navigate to my site (locally or from >> > another >> > network computer) in Internet Explorer I'm being prompting for a >> > network >> > username/password. I believe have configured the server properly in >> > ISS, >> > have the correct NTFS file permissions, etc. >> > >> > I would really like to know what sc-win32-status 2148074254 refers to >> > (see >> > my IIS log below). Anyone have any ideas? I know that the 401.2 error >> > means >> > "denied by server configuration" and often means a protocol issue >> > between >> > the >> > browser and IIS. I'm not trying to do anything special here, just want >> > to >> > use plain vanilla Windows Authentication. I have anonymous access >> > turned >> > off >> > for my site in IIS (my application requires this) but when I allow >> > anonymous >> > access the error goes away. >> > >> > I have attached my [truncated] IIS log below. Please let me know if >> > you >> > require any additional details about my environment. Any help that >> > anyone >> > can offer would be greatly apprecaited. I'm running out of ideas. >> > >> > Thanks in advance, >> > >> > Alexander >> > >> > ---SOF--- >> > >> > #Software: Microsoft Internet Information Services 6.0 >> > #Version: 1.0 >> > #Date: 2006-06-23 17:04:28 >> > #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query >> > s-port >> > cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status >> > 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET >> > /eProfitStartup.aspx - >> > 80 >> > - 10.34.43.11 >> > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) >> > 401 2 2148074254 >> > >> > ---EOF--- >> > >> >> >> Found the solution to my problem and thought I would share:
Short story: Had to make a DNS entry for the IP address of the site name that I was using to host my ASP.NET application. More detailed story: I noticed that everything worked when I added the IP address as a "trusted site" in Internet Explorer. Without having this address added as a trusted server it would prompt me. I noticed that when I pinged a computer name in a command window, it would show up as the fully qualified name (sitename.domain). Therefore IE or TCPIP is getting information back from the DNS lookup in some fashion and it knows that this site is a "trusted site" -- although IE or TCP does not know this information if I try to use the actual IP address (instead of the name). This may just have something to do with our network settings. It is interesting though because we have a large global network largely managed by Microsoft (from the software side), so I imagine other people have or will run into this problem in the future. For those people, I hope reading this post helps. Cheers, Alexander Show quoteHide quote "Alexander Ferrugia" wrote: > Hi: > > I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows > Server 2003 w/ SP-1. When I navigate to my site (locally or from another > network computer) in Internet Explorer I'm being prompting for a network > username/password. I believe have configured the server properly in ISS, > have the correct NTFS file permissions, etc. > > I would really like to know what sc-win32-status 2148074254 refers to (see > my IIS log below). Anyone have any ideas? I know that the 401.2 error means > "denied by server configuration" and often means a protocol issue between the > browser and IIS. I'm not trying to do anything special here, just want to > use plain vanilla Windows Authentication. I have anonymous access turned off > for my site in IIS (my application requires this) but when I allow anonymous > access the error goes away. > > I have attached my [truncated] IIS log below. Please let me know if you > require any additional details about my environment. Any help that anyone > can offer would be greatly apprecaited. I'm running out of ideas. > > Thanks in advance, > > Alexander > > ---SOF--- > > #Software: Microsoft Internet Information Services 6.0 > #Version: 1.0 > #Date: 2006-06-23 17:04:28 > #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port > cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status > 2006-06-23 17:04:28 W3SVC331956636 10.34.43.11 GET /eProfitStartup.aspx - 80 > - 10.34.43.11 > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) > 401 2 2148074254 > > ---EOF--- > 
Other interesting topics
II6.0 ISAPI & MIME types
Keeping a particular intruder out New HTTPS web site and certificate installation file security/authentication Securing static files MS Incident Response Plan Stop HTTP Access Security Tab Missing On Specific File Extensions - 2003 Mirror ftp sites and user accounts in IIS Windows Server Hardeing |
|||||||||||||||||||||||
