1

I'm running a Confluence instance behind an IIS proxy. Now we have some issues with user authentication. Right now the only thing I can see is the request and a 401 response. However I can not see which login module caused this or if it is caused by Confluence behind IIS.

It's a single line like this

2013-02-27 07:41:20 10.91.11.37 POST /rpc/soap-axis/isSPLicenseValid - 80 - 10.xxxxx Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.5456) 401 2 5 0

Is there a way to improve logging?

thanks :)

Stefan Ernst
  • 73
  • 5

1 Answers1

2

Assuming IIS 7.x, you can go Server Manager -> IIS Role -> Add Role Services, and install the Tracing feature.

This adds a Failed Request Tracing module.

At the Site level, you need to use the Actions pane to Enable Failed Request Tracing and configure the number of logs to keep, and then you can configure a Failed Request Tracing Rule to capture what you're interested in.

401s are going to happen any time HTTP auth is used, so it might be hard to capture a "bad" one if it doesn't happen consistently - you can trace based on the page and status code if it's consistent.

401.2 with substatus 5 might just be an incomplete authentication dance; certainly fits with an unsuccessful authentication attempt.

Also check out the Security event log for failed logon attempts - that might be a better bet at understanding what's happening.

And if a domain is involved, don't forget to look at the System and App log for events that might reveal a problem talking to the DC.

Finally, there was a hotfix for sites using AppPoolIdentity to prevent them stopping working when the computer account password changes (see this).

For older IISs, there was a Resource Kit tool called AuthDiag which might be useful.

TristanK
  • 9,073
  • 2
  • 28
  • 39