I have an ASP.NET MVC intranet site that uses Windows Authentication (Kerberos) exclusively with pass-through authentication. It is setup to use an app pool (v4/integrated) that uses the Network Service identity. The web site provides a pretty UI on top of a network share that is hosted on another machine (SAMBA NAS box). Occassionally (and usually when someone hasn’t accessed the site for a while), clients are getting a 401 authorization error at the point the MVC code is trying to get directory info (System.IO.Directory.GetLastWriteTime) on the remote UNC share. The event log on the IIS machine captures a security audit failure at this same point in time:
+ System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4625
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2012-03-17T00:43:50.522Z
EventRecordID 398873
Correlation
- Execution
[ ProcessID] 696
[ ThreadID] 792
Channel Security
Computer lvtloweb1.acme.com
Security
- EventData
SubjectUserSid S-1-0-0
SubjectUserName -
SubjectDomainName -
SubjectLogonId 0x0
TargetUserSid S-1-0-0
TargetUserName
TargetDomainName
Status 0xc000006d
FailureReason %%2304
SubStatus 0xc0000133
LogonType 3
LogonProcessName Kerberos
AuthenticationPackageName Kerberos
WorkstationName -
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x0
ProcessName -
IpAddress -
IpPort -
The weird thing is that if you sit and refresh the page over and over, it usually get’s past the 401 error in about a minute. Anybody got any ideas on how to troubleshoot such a problem? Oh yeah, the IIS machine is hosted in a VM. The guest OS is Windows Server 2008 Enterprise 6.0.6002 Service Pack 2.
Keith,
Being that it appears to happen most after the user has been idle, I’m leaning towards some kind event (i.e. a session timeout) that might invalidate the credentials for your server. I’m assuming one server since you didn’t mention any web farm.
A part of me thinks you’ve likely hammered the session timeout angle. Unless you felt safe trusting that the users would ‘auto authenticate’ and timing out mid operation wouldn’t cause it to fail. That said, I’m not sure I’d completely trust that is the case. To at least eliminate this possibility I would add a routine that logs information about the current session/credentials before that operation is started. Even though the user is “always logged in” assuming they are on their computer I’ve seen weird issues with VPNs, proxy servers, server double hops, IE configurations for ‘trusted zones’ and ‘intranet’ settings. Even a computer suddenly having its route to the server changed could cause issues. I’m not sure the network emulation on a VM would play a part, but who knows.
Here is a ‘starter’ article regarding IE and it’s complex approach to authentication and the role it plays as the client application accessing your Intranet MVC app. (It pays to dig deep on how IE auto-magically authenticates in a Windows AD environment.)
http://support.microsoft.com/kb/258063/en-us
Here is a related problem someone had due to a double-hop causing 401s. I’ve also included a link to another good ‘starter page’ on investigating these types of issues.
http://social.msdn.microsoft.com/Forums/en/sqlreportingservices/thread/6d1604e5-e739-41e4-89a5-c6681bff2e61
http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx
Sorry if anything above you already knew or for the general nature of my response. It’s tough without actually having network access or being able to add logging to your code. I hope I’ve pointed you in the right direction.