Windows IIS Authentication Denying Some Users
We have a very simple SOAP web service setup using Windows Authentication open to all users:
<authentication mode="Windows" /> <authorization> <allow users="*" /> </authorization>
However, some Windows accounts are getting errors
- A list of accounts is always selected (regardless of NTLM / Kerberos, local / external server)
- All accounts seem to work when accessed locally on the web server.
- All accounts seem to work when using IE (which appears to be using Kerberos)
What does not work
- Most (but not all) accounts from an external server (which appears to be using NTLM)
- There is no obvious scheme with which accounts work and which ones do not (this seems arbitrary).
- A new account that is identical to an existing account does not work.
- Working with accounts seems to be consistent (i.e. it will always work or never work).
- The accounts that work seem to be consistent across different environments (i.e. all IIS servers accept and reject the same set of accounts).
- No differences in captured traffic between servers other than different NTLM tokens and a 401 response instead of a 200/202 response.
What's going on technically
Specifically when a problem occurs, since the password credentials cannot be verified (I can guarantee they are correct), according to the error
4625 Audit Failure
in the security log:
Account For Which Logon Failed: Security ID: NULL SID Account Name: FAILING_ACCOUNT_NAME_ALLCAPS Account Domain: MYDOMAIN Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a
This appears to result in an AD account being locked out (which makes sense since the code
usually reflects an invalid password attempt), although this behavior seems inconsistent.
If the request trace fails, IIS shows an unknown username / bad password error as well as an error
with an error code
I can also force "genuine"
errors for running accounts (by negating them in the tag
) and the behavior is different (i.e. it doesn't mark them as
Unknown user name or bad password
, but gives a different access denied error).
Tell me if anyone has any experience with where I should be looking near to help diagnose this problem?
source to share