Replication Jobs are failing with a 401.1 authentication error.

book

Article ID: 157861

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Replication job run counts are increasing. The exception in the logs is a Http: 401.1 Authentication error.

Http: 401.1 Authentication failed

Cause

This error is normally caused by a problem with the credentials specified in the Hierarchy settings, or possibly Kerberos or Pre-Authentication Headers are involved.

Resolution

Open the SMP console Hierarchy - Hierarchy Management - Topology page. Right-click on the child SMP its attempting to replicate to and verify the "Access Credentials".  The main page specifies the credentials to access the destination server. The advanced tab specifies the credentials the destination server has to access the source. If you open these pages and click save, and if the console detects that changes need to be made, the changes will be verified during the save process. If no changes have been detected, the page will close without trying to verify the credentials. You may need to make a change to the credentials in order to see if the credentials are verified.

If the credentials fail here, the replication job will also fail. If saving the access credentials fail, validate the user account and password.

if the credentials are accurate but they are still failing, first try to disable kernel mode authentication.

1. Open Internet Information Services Manager

2. Click on Sites - Default Web Site - Altiris.

3. Double-Click Authentication

4. Click Windows Authentication . It should be "Enabled".

5. Select Advanced Settings.

6. Uncheck "enable Kernel-mode authentication" and click OK.

7. Stop IIS and the Altriis services.

8. Restart the Altiris services and IIS.

9. Refresh the Altiris Console and check credentials again.

You may need to perform the same steps on the destination SMP.

If this works and IT Analytics is being used, the disabling of kernel-mode authentication may break IT Analytics.

Try the following options in order.

Option 1.

1. Re-enable kernel-mode authentication using the same process as above.

2. Modify the C:\Windows\System32\inetsrv\config\applicationhost.config file. See the following link for details: http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/06/kernel-mode-authentication.aspx .

Modify the line <windowsAuthentication enabled="true" useKernelMode = "true"/> in  

<location path="Default Web Site/Altiris">
		<system.webServer>
			<directoryBrowse enabled="false" showFlags="None" />
			<handlers accessPolicy="Read, Script" />
			<security>
				<authentication>
					<windowsAuthentication enabled="true" useKernelMode="true"/>
					<anonymousAuthentication enabled="true" />
					<digestAuthentication enabled="false" />
					<basicAuthentication enabled="true" />
				</authentication>

To look like: <windowsAuthentication enabled="true" useKernelMode = "true" useAppPoolCredentials="true"/>

3. Reset IIS after the changes have been made.

 

Option 2:

1. Re-enable kernel-mode authentication using the same process as above.

2. Disable Pre-Authentication Headers with Internet Explorer and Internet
Information Services".  Add the following registry value at HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/. See http://support.microsoft.com/kb/2749007.


Value Name: DisableNTLMPreAuth
Data Type: REG_DWORD
Value: 1
 

3. Stop and restart IIS and the Altiris Services.

Option 3.

1. Re-enable kernel-mode authentication using the same process as above.

2. Open IIS Manager

3. Click on Application Pools

4. Highlight Classic .NET AppPool and click on Advanced Settings

5. Under Process Model, click on Identity

6. Normally this is set to ApplicationPoolIdentity.  Click on the three periods (...) and change the account to use the application identity.

7. Restart IIS and the Altiris services.

See also KB TECH179382



 


Applies To

ITMS 7.1 SP2

ITMS 7.1 SP2 MP1