Master Data Services: Unauthorized

I performed an installation of Master Data Services on a new SQL Server (Windows 2012 Standard with SQL Server 2014, Enterprise Edition). Initially I used a non-personal AD account during the installation (same for the DB and the web-application), but when then attempting to navigate to localhost/mds, I'd end up on an "unauthorized" page.

I uninstalled MDS, dropped the webapp and database, and reinstalled using my own credentials. No dice.

Searching revealed I needed to ensure that Windows Authentication was enabled for the server as well as the MDS application. I also disabled Anonymous authentication.

Server:

Server authentication

MDS app:

MDS authentication

I also ensured that NTLM was the first provider available, both on server and app level:

Providers

I even assigned my user permission to the path where the MDS app is running (C:\Program Files\Microsoft SQL Server\120\Master Data Services\WebApplication), as well as on the config.web file in that folder.

Obviously IIS has Windows Authentication installed:

enter image description here

I've kind of reached the end of knowing what to do. I'm no IIS expert, and the only error info is literally "Unauthorized". The IIS log is not very helpful either:

2015-07-06 14:19:33 ::1 GET /MDS/ - 80 - ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 401 2 5 304
2015-07-06 14:19:33 ::1 GET /MDS/ - 80 <account_name> ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 302 0 0 927
2015-07-06 14:19:33 ::1 GET /MDS/Unauthorized.aspx - 80 <account_name> ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 10
2015-07-06 14:21:03 ::1 GET /MDS/ - 80 <account_name> ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 302 0 0 173
2015-07-06 14:21:03 ::1 GET /MDS/Unauthorized.aspx - 80 <account_name> ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 2

I also made sure every role and feature from this list has been configured and installed.

Is there any way for me to get my hands on more information somehow? "Access is denied" doesn't give me much to work with, and the IIS log is also not very helpful.

I'm not IIS expert, and am guessing that's where the issue actually is, I'd just not know where to look.

And info would be greatly appreciated.

Thanks!

Solution

As it turns out, MDS somehow appended a "$" after my AD username. So SchmitzIT somehow became SchmitzIT$.

We discovered that was the problem when digging into the mdm.tbluser table. The sid contained there is different from the SID in sys.syslogins.

If you want to verify the user is right, use the following code snippet:

SELECT 'S-1-5-21-' 
+CAST(CAST(CAST(REVERSE(CONVERT(binary(4),'0x'+sys.fn_varbintohexsubstring(0,sid,13,4),1)) as varbinary(4)) as bigint) as varchar(10)) 
+'-'+CAST(CAST(CAST(REVERSE(CONVERT(binary(4),'0x'+sys.fn_varbintohexsubstring(0,sid,17,4),1)) as varbinary(4)) as bigint) as varchar(10)) 
+'-'+CAST(CAST(CAST(REVERSE(CONVERT(binary(4),'0x'+sys.fn_varbintohexsubstring(0,sid,21,4),1)) as varbinary(4)) as bigint) as varchar(10)) 
+'-'+CAST(CAST(CAST(REVERSE(CONVERT(binary(4),'0x'+sys.fn_varbintohexsubstring(0,sid,25,4),1)) as varbinary(4)) as bigint) as varchar(10)) 
, *
FROM sys.syslogins

We then grabbed the proper value from sys.syslogins for my user account, and manually altered the mdm.tblUser table to reflect the proper sid and username.