I have been struggling with getting Windows authentication to work on IIS10 for a .Net Core API. The error I am getting is 401.2:
You are not authorized to view this page due to invalid authentication headers.
I have made the following configurations:
Only windows authentication has been enabled on the site (Anonymous is disabled)
SPNs have been created for the site and the server has been enabled for delegation.
The application pool is configured to run under a domain account
Both cURL and Postman give me the same result. Interestingly, when I make use of the SwaggerUI on the API directly, I get the expected behavior, but when making external calls (from another server), I get the 401.2 error.
Some additional content from the error is that the Logon Method and Logon User is Not Yet Determined.
How do I resolve this issue?
I was under the assumption that Postman and cURL were sending the NTLM credentials/token as a part of the request by default, but was incorrect. I had to enable Failed Request Tracing on IIS and saw that they were trying to make use of anonymous authentication. Apparently Postman does not support NTLM authentication so I made use of cURL and appended the credentials. With this I could get the authentication to work with cURL.
Related
We are encountering a 401 error when making basic authenticated API calls to the X2CRM endpoints (index.php/api2/Contacts). Unauthenticated API calls to other X2CRM VoIP endpoints are successful without issue, and basic authentication works on a test page in the same directory using the same PHP-FPM pool. API calls previously working successfully.
The problem is that API calls to index.php/api2/Contacts or similar endpoints in the X2CRM system are returning a 401 error with "missing user credentials." Basic authentication is working correctly on a test page in the same directory and using the same PHP-FPM pool, and unauthenticated API calls to other X2CRM voip endpoints index.php/api/voip/data/(phone number) are successful without issue. The credentials for the API calls are confirmed to be present in the database
We tried making basic authenticated API calls to the X2CRM endpoints (index.php/api2/Contacts, etc.) using Postman and cURL. We expected the API calls to be successful and return the expected data. However, we encountered a 401 error and the response stated "Missing user credentials". We confirmed that the credentials being used are valid and present in the database. We also tested a basic authentication on a test page in the same directory and it was successful, allowing entry into the directory. We need help resolving the issue with the basic authenticated API calls.
The response that you have shared
Missing user credentials
means that the credentials that you are trying to send are not being sent with the request.
If those credentials were being sent correctly, then, the error would have been:
Invalid user credentials
or, something else in the response.
Furthermore, the index.php/api is different from index.php/api2 so you will need to verify it in the api2 controller. You can send a request to the following Endpoint to verify if your credentials work with the builtin APIs:
https://<YOUR_CRM_DOMAIN>/index.php/api2/appInfo.json
Moreover, the documentation clearly indicates that 401 error is related to Authorization, so you will need to fix that first.
I have a .NET core api hosted in IIS which uses windows authentication. I'm using Prometheus to scrape metrics from this API. But I'm getting the error "server returned HTTP status 401 Unauthorized" for the api target. Can some help me how to configure prometheus for targets with Windows authentication?
When I tried to browse the metrics path separately, the browser is requesting for credentials and I'm able to view the metrics with my Windows authentication.
Looking at the documentation, Prometheus seems to support basic (user/password) and OAuth bearer token authentication only. If your API/IIS doesn't support any of those, then you either need to disable authentication for the /metrics path or maybe set up a proxy that only allows /metrics requests and does the authentication for you.
I am trying to access WCF Webservice using Windows Authentication in Soap UI.
I am getting 401 unauthorized.
Following are the set up I done.
In Request Authorization Tab, I have given as NTLM
I have given username, password and Domain.
As well as WSS-Password Type: PasswordText or PasswordDigest, and Wss-TimeToLive: 2000
Tried for Basic and Kerberos as well. Getting 401 response ONLY..
Getting following in the http log.
WARN:Authentication error: ntlm authorization challenge expected, but not found
What needs to be done to solve this issue?
I am assuming you are connecting to a VPN in order to access the webservice, and that you have already verified the credentials are correct (ie: by accessing the endpoint in a browser). I will also assume your soapUI's ntlm configuration is correct.
If so, add -Djava.net.preferIPv4Stack=true to your .vmoptions file (under bin directory).
I am developing a web api. When I ran web api in local workstation by Visual Studio and used Fiddler or IE to consume it, all things were fine.
But if I deployed it into a remote IIS server, I get 401 error code in IE, Fiddler or client application. Even I enable Anonymous Authentication in IIS, 401 still occurs.
Could anyone give me some suggestions?
Thanks.
You can right click in the Authentification the "Anonymous Authentification" and select Edit. From there, you can assign on which credential you run the Anonymous authentification. If you set your own account, it should work (or any account that can run the web api).
I have a scenario wherein my ASP.NET MVC 3 web application hosted in IIS 7/Windows 2008 is accessing a WCF web service from another server, also hosted in IIS/Windows 2008. KCD is setup between the two servers and I have the necessary SPNs set up as well.
I have confirmed this working in IE. Using NetMon, I have also confirmed that KCD is working at the backend. My web app is running under machine account (network service) and the SPNs are setup accordingly for this machine account. The issue is when I use Safari on both my Windows and Mac OS X (Lion) machine, I am getting a 401 Unauthorized error:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.
Looking at NetMon, it is failing because the request to the WCF web service is falling back to NTLM.
Note that both Windows and Mac machines are part of our domain, and I'm using my same Windows credentials on both machines.
I know that Safari supports Kerberos authentication, but there seems to be an issue when delegating from my web app to the WCF service. Is it an issue with Safari, or with WCF?
Thanks in advance!
Update:
In Safari on Mac, when I first access the web application, I can see in Wireshark and NetMon that there is a valid Kerberos token being passed along the HTTP request (i'm not getting a 401 Unauthorized error). But when my web application tries to access the backend web service, I can see in that particular HTTP request that the token being passed along is now an NTLM token.
I'm using basicHttpBinding with TransportCredentialOnly as the security mode - I also specified in web.config the SPN identity of the backend web service's endpoint (HTTP/FQDN of backend web service server). Windows Auth is of course enabled on both IIS sites with "use kernel mode" turned on, and with useAppPoolCredentials set to true on the appHost.config of both sites. Again this is just for Safari on Mac, Firefox and Chrome are both working fine.
Check in Wireshark whether Safari sends a delegable/forwardable ticket.
Are you able to access the backend service directly? Is credential delegation on, I guess the ticket is not delegable? Safari has to request this. Firefox and IE do. The NTLM token passed is a token from your server. There is no delegation support in NTLM. There is something wrong with the target host.
Looking at the Wireshark traces, it seems that Safari is requesting for a Kerberos ticket that is not forwardable. Due to this flag, the Kerberos ticket is not forwarded / delegated to the next hop, causing the authentication to fall back to NTLM and fail.
Comparing this to the TGS request requested by IE, Firefox and Chrome, they all have a forwardable flag set.
I also tried doing a klist -F in Mac OS X to retrieve tickets that are forwardable, but Safari will still request for a separate ticket that doesn't have the forwardable flag.
Which brings me to a conclusion that Safari on Mac DOES NOT support delegation.