Windows IIS Authentication Denying Some Users
We have a very simple SOAP web service setup using Windows Authentication open to all users:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
Problem
However, some Windows accounts are getting errors 401 Forbidden
.
What works
- A list of accounts is always selected (regardless of NTLM / Kerberos, local / external server)
- All accounts seem to work when accessed locally on the web server.
- All accounts seem to work when using IE (which appears to be using Kerberos)
What does not work
- Most (but not all) accounts from an external server (which appears to be using NTLM)
Other facts
- There is no obvious scheme with which accounts work and which ones do not (this seems arbitrary).
- A new account that is identical to an existing account does not work.
- Working with accounts seems to be consistent (i.e. it will always work or never work).
- The accounts that work seem to be consistent across different environments (i.e. all IIS servers accept and reject the same set of accounts).
- No differences in captured traffic between servers other than different NTLM tokens and a 401 response instead of a 200/202 response.
What's going on technically
Specifically when a problem occurs, since the password credentials cannot be verified (I can guarantee they are correct), according to the error 4625 Audit Failure
in the security log:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: FAILING_ACCOUNT_NAME_ALLCAPS
Account Domain: MYDOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
This appears to result in an AD account being locked out (which makes sense since the code 0x000006a
usually reflects an invalid password attempt), although this behavior seems inconsistent.
If the request trace fails, IIS shows an unknown username / bad password error as well as an error 401.2
with an error code 3221225581
.
I can also force "genuine" 401
errors for running accounts (by negating them in the tag authorization
) and the behavior is different (i.e. it doesn't mark them as Unknown user name or bad password
, but gives a different access denied error).
What's next
Tell me if anyone has any experience with where I should be looking near to help diagnose this problem?
source to share