When in Geneva Server Beta 2 you try to configure and use Windows Integrated Authentication, it may not prompt for credentials and instead you receive an error message:

  • When connecting from another computer, you may see the following error message: 
    Access is denied due to invalid credentials
  • And when you connect from the same server, the more detailed error is displayed:
    HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers

The error messages indicate that Windows Authentication is disabled, but when you check the IIS configuration it shows as if it were enabled:
image

So, where is the error?

In IIS 7 the overall configuration file is stored in C:\Windows\System32\inetsrv\config\applicationHost.config. The file contains some configurations that apply to the whole server, some configurations that apply to each site, and some that apply to a specific path. If you scroll down the file until you see the "FederationPassive" location configuration, you’ll see that Windows Authentication is disabled. That is OK except that it is also removing the authentication providers, so no child location can use Windows Authentication without them!

 image

Solution

Open applicationHost.config in a text editor. Find the <location> tag related to Windows Integrated Authentication and modify it to look like the following:

image

Configuration section

Below you’ll find the complete configuration section that you can copy and paste onto your applicationHost.config file.

<location path="Default Web Site/FederationPassive/auth/integrated" >
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true"
                       
useKernelMode="true" useAppPoolCredentials="true">
                    <providers>
                        <add value="Negotiate" />
                        <add value="NTLM" />
                    </providers>
                </windowsAuthentication>
            </authentication>
        </security>
        <handlers accessPolicy="Read, Script" />
    </system.webServer>
</location>

When you save the file, IIS will automatically reload the configuration, so you don’t need to restart any service.

Hope this helps!

Hi Folks!

This is a project I was involved in, helping DPE, so I'm proud to announce that it was just released to the public.

This Developer Training Kit is composed of 7 labs:

  • Introduction to Windows Communication Foundation 
  • Integrating CardSpace into Web Sites 
  • Introduction to Windows Workflow Foundation 
  • Using Windows Eventing 
  • Extending Windows PowerShell and the Microsoft Management Console 
  • Extending IIS 7.0 with Custom Handlers 
  • Using Transactional NTFS (TxF)  
  • For more information, please read James' original post: http://blogs.msdn.com/jamescon/archive/2007/07/17/just-released-windows-server-2008-developer-training-kit-beta-3.aspx

    The download is available at: http://www.microsoft.com/downloads/details.aspx?FamilyId=B36EE81A-AFF5-4314-95D7-DAD3ACFA8094&displaylang=en

    Cheers!

    Gabriel