Clever Geek Handbook

Windows IIS Authentication Denying Some Users

We have a very simple SOAP web service setup using Windows Authentication open to all users:

<authentication mode="Windows" />
<authorization>
  <allow users="*" />
</authorization>

Problem

However, some Windows accounts are getting errors 401 Forbidden

.

What works

  • A list of accounts is always selected (regardless of NTLM / Kerberos, local / external server)
  • All accounts seem to work when accessed locally on the web server.
  • All accounts seem to work when using IE (which appears to be using Kerberos)

What does not work

  • Most (but not all) accounts from an external server (which appears to be using NTLM)

Other facts

  • There is no obvious scheme with which accounts work and which ones do not (this seems arbitrary).
  • A new account that is identical to an existing account does not work.
  • Working with accounts seems to be consistent (i.e. it will always work or never work).
  • The accounts that work seem to be consistent across different environments (i.e. all IIS servers accept and reject the same set of accounts).
  • No differences in captured traffic between servers other than different NTLM tokens and a 401 response instead of a 200/202 response.

What's going on technically

Specifically when a problem occurs, since the password credentials cannot be verified (I can guarantee they are correct), according to the error 4625 Audit Failure

in the security log:

Account For Which Logon Failed:
Security ID:        NULL SID
Account Name:       FAILING_ACCOUNT_NAME_ALLCAPS
Account Domain:     MYDOMAIN

Failure Information:
Failure Reason:     Unknown user name or bad password.
Status:         0xc000006d
Sub Status:     0xc000006a

This appears to result in an AD account being locked out (which makes sense since the code 0x000006a

usually reflects an invalid password attempt), although this behavior seems inconsistent.

If the request trace fails, IIS shows an unknown username / bad password error as well as an error 401.2

with an error code 3221225581

.

I can also force "genuine" 401

errors for running accounts (by negating them in the tag authorization

) and the behavior is different (i.e. it doesn't mark them as Unknown user name or bad password

, but gives a different access denied error).

What's next

Tell me if anyone has any experience with where I should be looking near to help diagnose this problem?

+3


source to share


1 answer


This seems to be a very rare problem that has plagued you for years (infrastructure teams, devs, and Microsoft have failed to isolate the problem). According to the comments, it seems like some passwords might have an effect, so try there.



+1


source






More articles:


All Articles