Search code examples
asp.netiisasp-classiciis-7.5windows-authentication

IIS 7.5 Prompting for credentials when using Windows Authentication after server reboot

Windows Server 2008 R2, IIS 7.5, implementing Windows Authentication on default site & several dozen classic ASP & asp.NET applications on a local intranet site. Any user who accesses the site will already be an authenticated user on the domain. Server variable AUTH_USER will be used to query SQL table for apps the user can access.

Server level settings (Authentication):

  • Extended Protections OFF
  • Enable Kernel Mode authentication - checked
  • Providers - NTLM then Negotiate
  • Forms, Anonymous & Impersonation DISABLED

Site settings (Authentication):

  • Same as above

Application Pools

  • DefaultAppPool .NET Framework v2.0 Integrated NetworkService identity
  • Classic .NET AppPool .NET Framework v2.0 Classic ApplicationPoolIdentity identity
  • ASP.NET v4.0 Classic .NET Framework v4.0 Classic ApplicationPoolIdentity identity
  • ASP.NET v4.0 32Bit .NET Framework v4.0 Integrated ApplicationPoolIdentity identity
  • ASP.NET v4.0 .NET Framework v4.0 Integrated ApplicationPoolIdentity identity

Desired behavior - user opens website, is not prompted for username & password and is automatically authenticated & shown a menu appropriate for their ID. Hyperlinks to other apps on same IIS instance are displayed. User clicks hyperlink & is taken to the app, all without being prompted for Windows username & password.

What happens - when IIS server is rebooted, the first time a user accesses the site, they are prompted for Windows username & password. If info is entered (or cancel button is clicked) the menu displays anyway. Subsequent apps will also prompt for username & password the first time they are accessed after a reboot, and if the user clicks cancel (or enters login info) they are taken to that application. Subsequent access of the same sites the user is not prompted for either again. However, when server is rebooted, users are prompted as described above.

In W3SVC log file, the first result is a 401.1 -2146893042, second result is a 401.2.5.

I'm sure there is bound to be an IIS configuration setting, permissions, cache, etc. or some other tweak that is being overlooked. When the site is accessed (IE 11), the AUTH_USER is correct, and the list of applications for the user is also correct.

Why is it prompting for Username & password, and only doing so once the web server is rebooted? And, why does clicking the CANCEL button at the prompt also display the menu?

Solution

  • When we face similar issue. we can review the status.sub-status code and win32-status. the error meessage -2146893042 show that IIS server didn't receive any user credential. I faced this issue before. It could happen when NTLM has higher priority than kerberos.

    To fix this issue, please Set Negotiate Provider first.

    enter image description here