Here's another good gotcha with that I discovered with IIS 6.0 recently. We had a process that was hitting our webservices IIS boxes pretty intensely, and we noticed that on one of the nodes in the load balanced cluster we would get 401 errors. When I looked at the logs I noticed that a "typical" request for the service would follow this pattern:
- request -> response 401.5
- request -> response 401.1
- request (with credentials) - response 200 0
On the "bad" box, I would see just step 2 in the pattern, and nothing else, until later on when things would go back to normal. Very strange. Microsoft took a look at the logs and then at the metabases from the two webservers and noticed that the "bad" box was using "NTLM, Negotiate" for authentication, the "good" box was using "Negotiate, NTLM" (the default). So we switched the bad box to "Negotiate, NTLM" and viola, no more 401 errors!
Here are the links to the support docs:
How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication
http://support.microsoft.com/kb/215383/en-us
How to troubleshoot Kerberos-related issues in IIS
http://support.microsoft.com/kb/326985/en-us
IIS May Return HTTP Status 401 Every 30 Days When You Use Kerberos Authentication
http://support.microsoft.com/kb/318225/en-us
Kerberos authentication and troubleshooting delegation issues
No comments:
Post a Comment