2

I would appreciate any hints regarding the following issue:

The problem summary:

While using Negotiate:Kerberos in IIS 7.5, the authorization works correctly right until we setup URL rewriting (using the MS module "URL Rewrite 2.0") - any rewritten URL then returns "401.1 Unathorized" (requests not matching any rewrite rule keep working though).

The setup:

  • Windows Server 2008 R2 x64
  • IIS 7.5

  • URL Rewrite 2.0

  • Server is in a domain

  • SPN exists for HOST/hostname and HOST/hostname.domain (created by default)
  • Pool is using default ApplicationPoolIdentity (no custom account, not network service)
  • Kernel mode set to OFF

  • Authentication providers set to "Negotiate:Kerberos" only (no NTLM or annonymous)

  • URL Rewrite rule as as "^(.*)/$" => "index?x={R1}"

The result:

1) When accessing any URL not matching any URL rewrite pattern, Kerberos is working correctly, i.e. Kerberos ticket is issued (verified using klist), sent (verified using netmon and HTTP headers) and accepted (verified by URL being accessible and appropriate AUTH_USER property set to my domain account name) => no problem here.

2) When accessing any URL matching URL rewrite pattern, e.g. "hostname/foo" the result is:

HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
Module  WindowsAuthenticationModule
Notification    AuthenticateRequest
Error Code  0x80070055
Requested URL   http://hostname/index?x=foo
Physical Path   D:\wwwroot\
Logon Method    Not yet determined
Logon User  Not yet determined

(if we try to access the rewritten URL directly, e.g. hostname/index?x=foo, Kerberos works again normally)

The attempts to solve it so far:

After googling, we have tried several options:

  • turning kernel mode ON: Kerberos stopped working completely, using either default pool identity or network service (I suppose we would need to setup additional HTTP SPN and/or use custom domain account with additional SPN for that account explicitly)
  • turning "useAppPoolCredentials" ON: no difference
  • enabling "Failing Request Tracing": surprisingly these failing 401.1 requests ARE NOT generating any output into the fail logs no matter what rule we try to setup (e.g. 400-999) - the folder is just empty (while other errors, like 404 or even handshake 401.x when accessing not-rewritten URLs are generating logs - very strange)

The conclusion:

So far we have reached a dead end - it may be some weird kind of "double hop" issue requiring using a custom domain account rather than default app pool identity, but as we're in fact accessing the same resources, it seems more like a URL Rewrite issue.

Any tips, hints, pointers? Anything would be highly appreciated.

Best regards, Marek

Marek Dusek
  • 75
  • 3
  • 8
  • Hey Marek, any solution here? we face the same problem here – iPirat Sep 30 '14 at 08:28
  • Hello, in fact we did solve the issue by abandoning Microsoft's URL Rewrite module in favor of Helicon ISAPI Rewrite filter (http://www.isapirewrite.com/) - works flawlessly, so I assume its really a bug in the module, not our configuration. – Marek Dusek Oct 01 '14 at 09:39
  • Thanks for the hint. unfortunately, we cant use the other filter. We opened up a support ticket at Mcirosoft. I was able to trace down the actual issue by enabling the extended error logging feature: when using the MS URL Rewrite filter, the rewritten subrequest checks (presumably hardcoded) the request for Basic and NTLM authentication information (neither of which is configured) and ignores kerberos... – iPirat Oct 17 '14 at 12:24

2 Answers2

1

we face the same issues as you do. By enabling extended error logging, we were able to put the finger on the actual problem, which seems to be a bug in the rewrite module (or at least in some part of IIS, which is related to the module):

  • When the URL gets rewritten, the access to the new rewritten URL is checked (seemingly hardcoded) using Basic Authentication and NTLM, neither of which has been configured on the Website at hand. The only configured authentication provider is Kerberos. Since the client doesnt send NTLM nor Basic credentials, there is no way this can work.

We (another person on the current project) are sending the issue to Microsoft. I will let you know, when I get any result.

iPirat
  • 2,197
  • 1
  • 17
  • 30
0

It seems as though you have multiple issues here.

Failed-Request Tracing Logs

To fix your missing logs issue, you must make sure that the user that is running your site's AppllicationPool has read/modify rights to the folder where those logs are generated, otherwise you won't see anything. See the section labeled "Enable Failed-Request Tracing" on this page: Troubleshoot Failed Requests Using Tracing in IIS 7

What isn't clear is the fact that the site's Application Pool Identity (found in Advanced Settings for Application Pool) is the account that needs read/modify rights to that folder.

Once that is fixed you can load the XML logs in IE and see a much clearer picture of what is going on.

401.1 - Unauthorized Issue

A possible fix to your 401 error is to make sure unlisted file name extensions are allowed in Request Filtering. Go to IIS --> Sites --> [your site] --> Request Filtering

You have two options here:

  1. Allow File Name Extension... and add the value "." (minus the quotes), see this answer.
  2. Edit Feature Settings... and enabled the option "Allow unlisted file name extensions"

The 1st option should work well, the 2nd option obviously opens up a gaping hole but allows everything so you should be able to get it working.

I hope that helps.

Community
  • 1
  • 1
cganickel
  • 76
  • 6
  • Hello, sorry I missed this comment months ago. Firstly, my description was kinda misleading as we are in fact using a slightly different URL (index.php), so no need for extensionsless filter. Anyways, as stated in my OP comment, everything (= authentitacion itself and even the logging) started working as soon as we ditched the MS module and started using Helicon Isapi rewrite, without any change to the rest of the settings - therefore I can only assume the module is bugged and/or requires additional (unknown) configuration when using Kerberos (probably not a typical use-case). – Marek Dusek Oct 01 '14 at 09:44
  • @MarekDusek Thanks for the follow-up, glad you were able to find a solution. The use of URL rewrite is definitely not as easy as MS would like it to be. Currently it works for us but we've had many headaches, though they are less than the headaches we've had with the Apache URL Rewrite filter. I will look at the Helicon and keep it in mind for future use. – cganickel Oct 02 '14 at 17:08
  • I know there is little chance, after all this time, but do you @cganickel happen to still know what was necessary to get URL Rewrite Module running with Kerberos? I still have the same issue today as MarekDusek (OP). – Toastgeraet Nov 09 '22 at 07:32