IIS7 binding to subdomain causing authentication errors (TFS 2010)

Question

I'm trying to bind a IIS web site (Team Foundation Services 2010) to a subdomain, which is causing authentication errors. First I'll explain what I've done to set it up. This is the fist time I do this, so please correct me if I'm wrong.

The web server is a stand-alone Windows Server 2008 R2 x64, running IIS7 with .NET Framework 4.

I have the following A-records, pointing to my server:

server.mydomain.com
*.server.mydomain.com

So all subdomains of server.mydomain.com points to the server. In IIS7 I have a web site (TFS 2010) on port 8080, with a virtual directory (named tfs) that is using Windows Authentication.

I have one binding on the web site pointing to all unassigned IP addresses, port 8080 and having a host name of tfs.server.mydomain.com.

Now, shouldn't I be able to access the virtual directory through:

http://tfs.server.mydomain.com/tfs

That is not working. However, I can access it through:

http://tfs.server.mydomain.com:8080/tfs

But, it won't let me authenticate using a Windows account (Server\Username). A windows account that I can authenticate with, when accessing the site through http://localhost:8080/tfs.

What am I missing here?

score 3 · Accepted Answer · answered Apr 21 '10 at 19:13

3

Try Method 2 specified here http://support.microsoft.com/kb/896861. Do not try method 1 on a production machine.

answered Apr 21 '10 at 19:13

Gabriel Lozano-Moran

46
2

1

This is the answer for me. It fixed external and internal addresses. – Rick Ratayczak Apr 21 '10 at 19:47
Thank you very much. Method two in the link above, fixed the problem. – Tommy Jakobsen Apr 23 '10 at 07:24

score 0 · Answer 2 · answered Apr 20 '10 at 18:42

0

I'm not sure if this was a typo or not, but as you don't seem to have your site listening on port 80, http://tfs.server.mydomain.com(:80)/tfs will not work.

Regarding authentication - any chance that this box is also a domain controller?

answered Apr 20 '10 at 18:42

JohnW

501
3
8

Okay, so I need the :8080. I was hoping to omit that. But I still have the authentication problem. No, the server is not a DC. It's a stand-alone server, and not even in a domain. – Tommy Jakobsen Apr 20 '10 at 18:55
I would recommend that you enable auditing of logon failures and check the security event log. 1)start - run - secpol.msc 2)local policies\audit policy 3)audit logon events - success, failure 4)Open an admin cmd prmpot, type gpupdate /force 5) try again (you will fail), run eventvwr, navigate to the security event log, and look at the failures. – JohnW Apr 20 '10 at 19:37
I will try that later today. But what I've noticed is that I can authenticate when accessing http://tfs.server.mydomain.com:8080/tfs from remote (over the internet). Only when accessing the url from the server, it won't let me authenticate. – Tommy Jakobsen Apr 21 '10 at 13:16
See the Method 2 above, it worked for me Tommy. – Rick Ratayczak Apr 21 '10 at 19:47

IIS7 binding to subdomain causing authentication errors (TFS 2010)

2 Answers2