0

I hosted few applications in IIS (Version:10) with Kerberos authentication. And all web applications are configured under a single web site.

Only windows authentication is enabled.

What I observed is I get 401 followed by 200 for every request. And the expectation is 401 for the first call, then 200 for all subsequent calls from same client to same api since its already authenticated.

I tried applying authPersistSingleRequest="false" for windows authentication. Note: This was done after referring to 3 requests for every resource (2 x 401.2 and 1 x 200) in a windows authenticated asp.net mvc app

Then I can see that one api (web application) is working as expected now. And we still have issue with other api(in a different web application).

Can anyone help me to understand if there are any other settings apart from what I mentioned above to make it working as expected.

Falcon Francis
  • 3
  • 4

1 Answers1

0

Make sure you configured the spn account properly with the application pool.

Open IIS Manager and select the Configuration Editor.

In the dropdown menu select system.webServer > security > authentication > windowsAuthentication

enter image description here

set useAppPoolCredentials to True.

In Internet explorer add the site address to the list of trusted websites and specify Automatic logon with a current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.

enter image description here

Refer below link for more detail:

Troubleshoot Kerberos failures in Internet Explorer

Jalpa Panchal
  • 8,251
  • 1
  • 11
  • 26
  • SPN is configured and even the system.webserver configurations are also already set as mentioned. Web site is working fine and its able to authenticate. But only thing that bothers me is I am not able to find out why I get 401s (then 200) for each request. I expect 401 only for the first request in a session. Subsequent request must get 200 directly. – Falcon Francis Nov 09 '20 at 09:07
  • @FalconFrancis you could try to add the URL under a trusted site in internet explorer. – Jalpa Panchal Nov 10 '20 at 09:15
  • I will try it. I also noticed that the issue is happening only from chrome browser. I am getting expected results when I hit the url from browser. I am checking if this behavior is consistent or not. – Falcon Francis Nov 11 '20 at 10:59
  • @FalconFrancis try to set [link1](https://techcommunity.microsoft.com/t5/iis-support-blog/are-you-seeing-401-s-too-often-for-http-web-requests/ba-p/324654) both Kerberos and NTLM request/response flows, it's worth noting that the vast majority of HTTP clients (browsers, apps, etc.) don't send any credentials on their first request for a resource. first request is anonymous. [link](https://techcommunity.microsoft.com/t5/iis-support-blog/windows-authentication-http-request-flow-in-iis/ba-p/324645) – Jalpa Panchal Nov 12 '20 at 02:31