How can I understand and eliminate login prompts showing up on MVC site using Windows Authentication

0

I have an ASP.NET / MVC website using Windows Authentication.

On IIS side, it is set-up to only allow Windows Authentication.

enter image description here

The web.config side is configured to allow windows authentication only:

<authentication mode="Windows" />
<authorization>
  <allow verbs="OPTIONS" users="*" />
  <deny users="?" />
</authorization>
<identity impersonate="true" />

The issue is that sometimes (depending on users [which is weird, but it may just be random], between 1 and 50% of the time), instead of loading the page as expected, the browser (Chrome and IE behave the same) will display a login prompt instead of loging the users in a seamless way.

I have not been able to determine any way to force it one way or an other, and if the user keeps refreshing the same page, in the same browser, it will end up working (if the user got the login prompt in the first place), or showing the prompt.

EDIT: I have activated Failed Request Tracking in IIS. I can see that all queries fail with an error code 401.2, which is expected, since Anonymous Auth is disabled. This first response contains the accepted Authentication modes in its header:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

For most requests, the next request is used to authenticate the user, and everything works fine.

When authentication fails, and a login prompt is shown, the next request is a 401.1, with the error message:

Indicates a particular Security ID may not be assigned as the label of an object. (0x80070513)

I have no idea about what is causing this behavior, and even less about how to solve it.

asp.net
asp.net-mvc
authentication
windows-authentication
asked on Stack Overflow Jan 17, 2018 by Maxime • edited Jan 17, 2018 by Maxime

1 Answer

0

It could possibly be a duplicate SPN issue. And if it is, I believe your application is running under NTLM and not negotiate (kerberos).

Few things you can test here.

Capture fiddler trace from client. If the authentication token starts with TIRM..., its NTLM and not kerberos.

Also, please share the following info.

  1. Is this a load balanced environment ?

  2. Do you access the site using custom domain name or server name ?

  3. what identity is your application pool running under.

answered on Stack Overflow Feb 8, 2018 by Parvez Mulla

User contributions licensed under CC BY-SA 3.0