iisasp-classic

IIS Domain Authentication works on all but the server hosting it


All domain users have access to the web application on the local network, except for the server that is hosting it for some reason. Here are some stats and the error details to get us started, but please ask any questions if there is data you need to know to help. Thanks in advance, and here is the info:

ERROR TYPE: HTTP Error 401.1 - Unauthorized You do not have permission to view this directory or page using the credentials that you supplied.

Logon Method Not yet determined Logon User Not yet determined

The oddest part of all of this, is the server is logged into an Adminstration level account so by default should have access, so the fact its blocking it is strange. The only other element I can think of is that I am using a remote desktop connection to get to the server, and I wonder if that is somehow masking the authentication credentials to the IIS or something along those lines?

Server is configured to do Windows Authentication (which should already be done or you wouldn't be into the computer yet, let alone the network)

It is set to use Negotitate and NTLM as a last resort. The working systems all seem to use Negotiate fine. The problem is the Server when you navigate to the page pops up Windows based login credentials check for the user, which .. it is already on the network, and part of the same domain .. so its very curious.

QUESTION - What am I over looking here where external systems on the local network can connect to a web resource, but the server hosting it can not?

(It was working fine without domain requirements before, we just wanted to start using it, and now all of it works, except for the system hosting it, which seems like a paradox of sorts, unless its something about KERBOS issues with Remote Desktop likely? )

CURRENT RESEARCH - https://superuser.com/questions/925459/why-is-windows-authentication-not-working-locally-but-working-remotely

TRIED ALREADY: Editing IIS Authentication 'Advanced settings' for Windows Authentication to disable Extended Protection and Kernel-mode authentication (it MUST be on for the others to connect so can not disable this)

Editing IIS Authentication 'Providers' to move NTLM above Negotiate. (no change)


Solution

  • Windows Authentication not working on local IIS 7.5. Error 401.1

    I solved it by adding a new Binding to my website with no specified host name and a different port (because localhost:80 is used for me). As soon as I tried calling it from http://localhost:86/mypage, it worked. After a quick check in the browser, I tested a few times with cURL and it correctly accepted and rejected my credentials.

    UPDATE - Just updating to mention why this question is useful and how you get this error. If you are logging into your own app from the server directly, versus logging into it from another computer, it will throw this error and you must use this alternate port to get it to work.