Saturday, 7 June 2008

IIS 401 and 403 Errors

Back my demand IIS errors but unlike most I'm going to tell you where to look to solve your error.

specific cause of the error. These specific error codes are displayed in the browser but are not displayed in the IIS log:

401.1 - Logon failed.
The client gave the wrong username/password (including none at all). This could be from incorrect cached auto-login attempt by the browser, or from a user login dialog from the browser.

Invalid Kerberos configuration - on IIS6, if you have a customized Application Pool Identity AND Integrated Authentication is used AND the web server is in a domain, you will mysteriously get 401.1 unless you configure SETSPN *or* change Integrated Authentication to favor NTLM. See the following URLs on Application Pool Identity, Integrated Authentication in IIS, and Constrained Delegation configuration as well as this URL on additional Kerberos-related troubleshooting for more information

You enabled Anonymous authentication, yet you still get 401.1 for all requests. One common cause is if the configured anonymous user credentials stored in the IIS metabase configuration file is DIFFERENT than the user principle's credentials in reality (i.e. mismatched password). In all cases, the preferred solution is to manually synchronize the username/password of the anonymous user principle in IIS with that of the real user principle. I have seen many amazing variations of this cause, including:

401.2 - Logon failed due to server configuration.
This means the directory ACL you don't have permission to, change the permissions on the directory in IIS manager.

401.3 - Unauthorized due to ACL on resource.
This error message almost the same as the 401.2 but in this case the file its self is what you don't have permission too, check the NTFS permissions on the file at drive level to resolve this one.

401.4 - Authorization failed by filter.
An ISAPI filter loaded denied the request this can be along or short trouble shooting depending on the amount of info out put to the application log in windows

401.5 - Authorization failed by ISAPI/CGI application.
This error indicates that some ISAPI Extension or CGI Web Application sent back a structured 401 response of some sort. The reasons why the CGI/ISAPI are returning such 401 responses are completely arbitrary and uncontrollable by IIS. You will need to determine WHICH CGI/ISAPI is returning the response and obtain support for it.

No comments: