0

my web server randomly asks for a password as though basic authentication is turned on. It's an IIS 7 web server and you have to specifically install basic authentication in the roles section. It isn't installed.

The message that pops up is "Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection)"

I cannot reproduce the problem but a number of customers have reported the problem and it only seems to appear to a small number of customers.

It pops up when they visit the homepage, nothing is generated by the IIS logs to indicate a password box is being served (e.g. no 401 errors etc)

Can anyone offer any advice?

Thanks

1 Answers1

1

Try using processmon (www.sysinternals.com) to capture the issue and find out where the access denied is coming from. If you add a filter for the PID of your site's app pool you won't have too many events.

Type iisapp from the command prompt to see the app pool to PID mapping.

After you get a capture, search for the word 'denied'. It's likely that you'll find out what is causing this.

Scott Forsyth
  • 16,449
  • 3
  • 37
  • 56
  • good idea Scott, only I can't seem to reproduce the problem which is making it difficult to examine! I will try your suggestion if I can reproduce the issue - thanks –  Mar 16 '10 at 13:54
  • Hi Scott, I tried your suggestion in a controlled environment and it helpfully shows up a 401.2 error which is also shown in the IIS logs. The odd thing is that in the "live" error it simply doesn't stamp any 401 errors in the log. It's like my servers aren't serving this prompt up! –  Mar 16 '10 at 16:39
  • Hi Paul. That can make it more difficult. Any chance that another IIS site catches some requests, or that you have a load balancer in front that might be coming into play? processmon may still be able to catch access denied errors as long as the requests are actually getting to the server. – Scott Forsyth Mar 16 '10 at 18:27
  • Hi Scott, yes we have a small load balancing set up I have a method of eliminating by using the servers browser - this uses the NLB address locally. Unfortunately the ProcessMonitor app killed my server after I left it running - ouch. It's such a random problem, when it happens it seems to happen to a few customers at a time. What is most confusing is the fact I'm not seeing any 401 errors anywhere. –  Mar 17 '10 at 11:10
  • Are you saying that you can repro it locally on the nodes? If you do, does it log it in that situation? I would still be suspect of something with NLB or the servers rather than IIS. Check Event Viewer too, for any further hints. Bummer on procmon killing the server. It can generate a lot of data waiting for a repro. There is a setting to limit how many it keeps at a time, also the more narrow the filter, the longer it can run. For example, at the very least, filter by PID, but you may have to filter by the word 'denied'. It won't show the info around it, but it will show what is denied. – Scott Forsyth Mar 17 '10 at 13:59
  • Yeh it's a strange one, I had procmon filtering so it was hardly generating anything. It was using up the pagefile then releasing it ok but it ran out of memory like it was a leaky app. No, I can't reproduce the fault at all, not even once. I can test each server individually by using the browser on the server, this makes it possible to rule out NLB creating the intermittency. In all honesty it looks like its not my servers serving up the box, I just can't reproduce it! –  Mar 17 '10 at 15:21
  • In procmon there is a setting under the Filter menu called "Dropped Filtered Events". If you set that, it should address the memory issue. You don't happen to have any dependencies on the page that could be causing that? For example references to another web service or images that you don't host? That would do it if any of them failed at times, and it wouldn't log anything on your web servers. – Scott Forsyth Mar 17 '10 at 18:00
  • Ah right, perhaps i needed to drop those events. Well, there are other locations that serve up the content, I have www.example.com and media.example.com as well as mybanner.provider.com and liverperson.com. The auth box title is for media.example.com which we host. Any more ideas? I appreciate the suggestions. –  Mar 18 '10 at 14:38
  • Sounds like it's the media site then. The best thing you can do right now is to find a way to consistently reproduce this. Sometimes that's 90% of the battle. See if you can trace the reports of issues to any clues in the IIS logs or Event Viewer. Re-read the emails from the users that reported the issue to see if there are any other clues. Also, having procmon running in parallel may help catch the issue too. Another way to find access denied errors is to turn on Object Auditing->Failures from local security policy,and then for all your drives on disk using NTFS turn on failure auditing. – Scott Forsyth Mar 18 '10 at 19:34
  • yep, I agree there, it does appear to be the media site...but i have auditing turned on and there is nothing relevant in the IIS logs such as 401 errors. It's almost as if the media site is being served up from somewhere else for a limited number of users but it's not intentional! –  Mar 19 '10 at 10:31
  • It does seem that it's served up from somewhere else. Almost like a proxy server or caching servers takes the request. – Scott Forsyth Mar 19 '10 at 15:10