Access to console remotely throws a 401 Unauthorized error - 401.1 error

book

Article ID: 155783

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Attempts to access the SMP console result in error 401 Unauthorized error page. IIS logs show 401 1 (401.1) error.

Windows Security event logs show successful authentication from remote IP

Another symptom might be that the user is continually prompted for credentials when trying to get into the console.  This happens both at the server and from a remote console.

Cause

The cause could be one or more of the following individual possible conditions.

1. Windows Authentication does not seem to properly function between IIS and Windows. This seems to be an issue caused by IIS settings to use kernel mode authentication.

2. Possibly a problem where the authentication token (via Kerberos) is too large. This is usually caused when the user account authenticating is a member of 100+ security groups. The following link explains the condition:

http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx

 

3. EDNS may be enabled and causing problems.

 4. There is a proxy setting in IE that is not allowing the Child or Parent (depending on which direction replication is failing) that is preventing the server from contacting and authenticating to the other server.  Currently the replication framework does not use the Notification Server proxy settings in order to get through a proxy configuration.

5.  The registry key has been set to a value of 2.  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail

***********************************************************************

Resolution

A permanent fix has been provided in 7.1 SP2 MP1 V6. (See HOWTO81832)

**************************************************************************************************************************************************

NOTE: Another fix for this rather than to disable kerberos authenticaion is to apply a "useAppPoolCredentials="true" setting to the applicationhost.config file. See details in this Microsoft link: http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/06/kernel-mode-authentication.aspx . The applicationhost.config is located at C:\Windows\System32\inetsrv\config.

Modify the line <windowsAuthentication enabled="true" useKernelMode = "true"/> in  

<location path="Default Web Site/Altiris">
		<system.webServer>
			<directoryBrowse enabled="false" showFlags="None" />
			<handlers accessPolicy="Read, Script" />
			<security>
				<authentication>
					<windowsAuthentication enabled="true" />
					<anonymousAuthentication enabled="true" />
					<digestAuthentication enabled="false" />
					<basicAuthentication enabled="true" />
				</authentication>

To look like: <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true"/>

Reset IIS after the changes have been made.

*************************************************************************************************************************************************

NOTE 2: Turning off kernel mode authentication will break IT Analytics.  Microsoft KB  http://support.microsoft.com/kb/2749007 offers two workarounds to this

problem -  "disable Pre-Authentication in Internet Explorer, or turn off Kernel Mode Authentication for the IIS Web application".


To "disable Pre-Authentication in Internet Explorer" by doing the following:

 

Add the following registry value to the computer that you are opening the console on.


HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/
 


Value Name: DisableNTLMPreAuth
Data Type: REG_DWORD
Value: 1
 

********************************************************************************

 
Each of the following solutions correspond with the numbered possible causes above.

1.  Disable the kernel mode authentication for Windows Authentication on the Altiris website.

Start the IIS manager and go into Sites > Default Web Wise > Altiris

On the /Altiris Home configuration page, pick IIS >  Authentication.  Double-click on "Authentication" or right click and select "Open Feature"

In the right pane select  "Windows Authentication" right-click and select "Advanced Settings..."

In the Advanced Settings dialog disable (uncheck) "Enable  Kernel-mode Authentication".

Run iisreset (with elevated privileges) and connections should now authenticate properly from remote locations/computers to the console.

 

2.  Try making the following registry addition/changes recommended by the above technet link “Configure IIS to accept larger headers”

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\MaxFieldLength=65534
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes=65534

Reboot the server.

 

3. For an explanation of EDNS and how to disable it to test if it is the problem see the following link:  http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

 4.  In the IE Proxy configuration settings add an exclusion entry identifying specific servers or servers in a specific domain so that they do not need to authenticate through the proxy, but can go straight to the server.

  5.  See Microsoft support.microsoft.com/kb/832981  for details on the http 401.1 and http 500 errors when the security event log is full and the followinig registry key value is set to  a value or 1 or 2  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail.  To resolve the issue set the registry key value to 0.

 

Applies To

 

Symantec Management  Platform 7.1,  7.1 SP1,  7.1 SP2
Windows Server 2008 R2