Error with Custom Role Provider: The login is from an untrusted domain and cannot be used with Windows authentication

0

Having deployed the latest build of a C# MVC app to a test server this is the error I'm getting.

This all works fine when run locally in VS2013.

I'm using a custom provider and I'm pretty sure this worked ok before.

The relevant part of web.config looks like this:

  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
    <authentication mode="Windows" />
    <roleManager defaultProvider="MyRoleProvider" enabled="true">
      <providers>
        <clear />
        <add name="MyRoleProvider" type="CWC_Service_Plan.Security.MyRoleProvider" />
      </providers>
    </roleManager>
    <compilation debug="true" targetFramework="4.5.1" />
    <httpRuntime targetFramework="4.5.1" />
  </system.web>

The Authorisation config in IIS looks like this:

IIS Authentication config

Enabling anonymous access makes no difference.

Having trudged through the answers in SO without finding the solution I'm aware that there is a lot out there on this, but I haven't yet found anything that can resolve this issue. For example, the problem is not a database security issue, the password for the site identity user has not expired, etc.

Does anyone have any suggestions on how to proceed? I'll supply additional details as requested.

And thanks for the help!

[Edit]

When the site is browsed locally (on the server) the error is mildly more helpful:

enter image description here

This would still suggest a problem connecting to the database as the User.IsInRole function checks the database for role membership, but I'm sure this is ok.

[Edit2]

Looking through the Windows logs shows the following error:

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed
[CLIENT: 10.184.23.141]

What does that mean in English, apart from "Login failed"?

[Edit3]

Apparently this could mean that no Service Principal Name has been set up for the service user. https://technet.microsoft.com/en-us/library/bb735885.aspx

Am currently investigating this angle...

c#
asp.net-mvc
authentication
iis
asked on Stack Overflow Dec 8, 2015 by CompanyDroneFromSector7G • edited Dec 9, 2015 by CompanyDroneFromSector7G

1 Answer

0

I never found an entirely satisfactory answer to this.

In the end I switched to using SQL Authentication for the database access, thus removing the problem, so more of a work-around than a fix really.


User contributions licensed under CC BY-SA 3.0