Je sais that there are thousands of reports of people having trouble getting Integrated Windows Authentication to work avec IIS, mais they tous seem to lead to web pages that ne apply ou solutions that J'ai déjà tried. J'ai deployed dozens of sites like this before, so soit il y a something bizarre going on avec le server/configuration, ou J'ai been looking at this too long et pas seeing le obvious.
Simply put, everything works perfectly on mon local machine, mais falls apart on le production server, qui as far as I can tell has le exact même configuration.
On le local machine:
The machine is running Windows 7 Ultimate, Service Pack 1, IIS 7.5.
The site has been tested successfully, using les deux IIS et le VS Web Development Server.
The IIS site config has tous authentication methods disabled except Windows Authentication.
The local machine is pas on tout domain.
The Providers set up are Negotiate et NTLM (not Negotiate:Kerberos).
Extended Protection is Off.
All browsers tested (IE, Firefox, Chrome) show le challenge prompt et allow me to log in to le localhost domain avec mon (local) Windows account.
All browsers tested aussi work using an opaque local IP address - so le browsers themselves ne seem to care si le site appears "local" ou "remote".
J'ai added a display line to le web page qui shows le currently-logged-in user et it shows exactly what I would expect (whichever local user I logged in with).
On le remote machine:
The server is running Windows Server 2008 R2, IIS 7.5.
Loading le web page results in an immediate 401.2 error: You are pas authorized to view this page due to invalid authentication headers. No challenge prompt ever appears.
The IIS site config has tous authentication methods disabled except Windows Authentication.
The remote machine is pas on tout domain.
The Providers set up are Negotiate et NTLM (not Negotiate:Kerberos).
Extended Protection is Off.
On le remote machine (remote desktop session), le même error appears in Internet Explorer regardless of si le domain is localhost ou le external IP address.
If I essayez de view le remote web site depuis mon local machine, le error is encore 401, mais a slightly différent 401. No subcode, avec le text: Access is denied due to invalid credentials.
The Windows Authentication IIS role feature is installed.
The WindowsAuthentication Module is added (at le Server level).
The exact même error occurs si I turn off Windows Authentication et enable Basic Authentication.
The site does load si I turn off Windows Authentication et enable Anonymous (obviously).
J'ai déjà followed tous of le troubleshooting steps on Microsoft Support: Troubleshooting HTTP 401 errors in IIS
J'ai déjà tried le workaround shown on another Microsoft support page (supposedly to force NTLM as le seulement method).
Last mais pas least, J'ai essayé turning on FREB for 401.2 errors et le results ne seem to tell me anything useful, tous Je vois is le suivant warning:
MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName IIS Web Core
Notification 2
HttpStatus 401
HttpReason Unauthorized
HttpSubStatus 2
ErrorCode 2147942405
ConfigExceptionInfo
Notification AUTHENTICATE_REQUEST
ErrorCode Access is denied. (0x80070005)
...this seems to juste be telling me what I déjà know (that c'est simply rejecting le request à la place of negotiating le credentials).
The trace does indicate that le WindowsAuthentication module is correctly loaded parce que there is a NOTIFY_MODULE_START line avec ModuleName = WindowsAuthentication (and various autre ASP.NET follow-up events - [un]fortunately, no interesting errors ou warnings here).
Can anyone tell me what I might be missing here?
Quick Update:
Je suis a little uncomfortable sending a whole Wireshark dump as it would reveal IPs, URLs et autre stuff, mais I did a side-by-side comparison of le HTTP responses depuis localhost et le remote server in Fiddler, et it seems fairly self-evident what le problem is:
Localhost:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Sat, 17 Dec 2011 23:42:34 GMT
Content-Length: 6399
Proxy-Support: Session-Based-Authentication
Remote:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 17 Dec 2011 23:43:13 GMT
Content-Length: 1293
Aside depuis a peu de seemingly-inconsequential differences like cache-control, le main difference is that the remote server is pas sending le WWW-Authenticate headers back to le client.
So, I guess that narrows le question down to: Why is IIS pas sending WWW-Authenticate headers quand Windows Authentication appears to be installed, loaded, et exclusively enabled?
