Geneva Server Beta 2: Troubleshooting Windows Integrated Authentication

June 24th, 2009

When in Geneva Server Beta 2 you try to configure and use Windows Integrated Authentication, it may not prompt for credentials and instead you receive an error message:

  • When connecting from another computer, you may see the following error message: 
    Access is denied due to invalid credentials
  • And when you connect from the same server, the more detailed error is displayed:
    HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers

The error messages indicate that Windows Authentication is disabled, but when you check the IIS configuration it shows as if it were enabled:
image

So, where is the error?

In IIS 7 the overall configuration file is stored in C:\Windows\System32\inetsrv\config\applicationHost.config. The file contains some configurations that apply to the whole server, some configurations that apply to each site, and some that apply to a specific path. If you scroll down the file until you see the "FederationPassive" location configuration, you’ll see that Windows Authentication is disabled. That is OK except that it is also removing the authentication providers, so no child location can use Windows Authentication without them!

 image

Solution

Open applicationHost.config in a text editor. Find the <location> tag related to Windows Integrated Authentication and modify it to look like the following:

image

Configuration section

Below you’ll find the complete configuration section that you can copy and paste onto your applicationHost.config file.

<location path="Default Web Site/FederationPassive/auth/integrated" >
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true"
                        useKernelMode="true" useAppPoolCredentials="true">
                    <providers>
                        <add value="Negotiate" />
                        <add value="NTLM" />
                    </providers>
                </windowsAuthentication>
            </authentication>
        </security>
        <handlers accessPolicy="Read, Script" />
    </system.webServer>
</location>

When you save the file, IIS will automatically reload the configuration, so you don’t need to restart any service.

Hope this helps!

Posted by Filed in IIS, Identity

One Response to “Geneva Server Beta 2: Troubleshooting Windows Integrated Authentication”

  1. S Chugh Says:
    July 31st, 2009 at 10:27 pm

    Yhanks a lot for this…we have been spending hours together why it was giving this 401 error…

Leave a Reply