HTTP 401.1 error when using IP address...

[msnews.microsoft.com]

Our IT team relocated our application servers yesterday. They had to take
one machine out of the cluster because it would prompt users for credentials
if accessed using the IP address, which I guess is what happens when it is
accessed through the firewall. However, it works as expected when I use the
machine name in place of the IP address.

To summarize, the application servers were moved to a new hosting site and
one machine is behaving badly. Here are the scenarios:

If I access www.myfqdn.com from the internet and I happen to hit the server
that is misbehaving, I am presented with a windows logon prompt.

If I access http://machinename/myapp/mypage.aspx, then it works as expected.

If I access http://machineip/myapp/mypage.aspx, then I am presented with a
windows logon prompt.
Any clues or suggestions of where to ask this question would be greatly
appreciated.

Of course, cancelling the windows logon prompt results in the 401.1 error.

Carl

 

[Bob Barrows [MVP]]

Our IT team relocated our application servers yesterday. They had to
take one machine out of the cluster because it would prompt users for
credentials if accessed using the IP address, which I guess is what
happens when it is accessed through the firewall. However, it works
as expected when I use the machine name in place of the IP address.

To summarize, the application servers were moved to a new hosting
site and one machine is behaving badly. Here are the scenarios:

If I access www.myfqdn.com from the internet and I happen to hit the
server that is misbehaving, I am presented with a windows logon
prompt.

If I access http://machinename/myapp/mypage.aspx, then it works as
expected.

If I access http://machineip/myapp/mypage.aspx, then I am presented
with a windows logon prompt.
Any clues or suggestions of where to ask this question would be
greatly appreciated.

Of course, cancelling the windows logon prompt results in the 401.1
error.

You'll probably get more help for this in the iis group. Given that you
are talking about .aspx pages, this group which is a classic ASP group,
is not relevant.

 

[Anthony Jones]

Our IT team relocated our application servers yesterday. They had to take
one machine out of the cluster because it would prompt users for credentials
if accessed using the IP address, which I guess is what happens when it is
accessed through the firewall. However, it works as expected when I use the
machine name in place of the IP address.

To summarize, the application servers were moved to a new hosting site and
one machine is behaving badly. Here are the scenarios:

If I access www.myfqdn.com from the internet and I happen to hit the server
that is misbehaving, I am presented with a windows logon prompt.

If I access http://machinename/myapp/mypage.aspx, then it works as expected.

If I access http://machineip/myapp/mypage.aspx, then I am presented with a
windows logon prompt.
Any clues or suggestions of where to ask this question would be greatly
appreciated.

Of course, cancelling the windows logon prompt results in the 401.1 error.

When using:-

http://machinename/myapp/mypage.aspx

You'll notice that the zone applied is Local Intranet. Which be default
will attempt to authorize using the current users credentials.

In the other cases the zone will be internet, which doesn't do this.

Add www.myfqdn.com to the list of domains recognised as local intranet (do
this via internet options in IE).

You can do the same for the IP but I would recommend that you simple don't
access the site using an IP anyway.

 

[msnews.microsoft.com]

Our IT team relocated our application servers yesterday. They had to take
one machine out of the cluster because it would prompt users for
credentials if accessed using the IP address, which I guess is what
happens when it is accessed through the firewall. However, it works as
expected when I use the machine name in place of the IP address.

To summarize, the application servers were moved to a new hosting site and
one machine is behaving badly. Here are the scenarios:

If I access www.myfqdn.com from the internet and I happen to hit the
server that is misbehaving, I am presented with a windows logon prompt.

If I access http://machinename/myapp/mypage.aspx, then it works as
expected.

If I access http://machineip/myapp/mypage.aspx, then I am presented with a
windows logon prompt.
Any clues or suggestions of where to ask this question would be greatly
appreciated.

Of course, cancelling the windows logon prompt results in the 401.1 error.

Carl

Thank you both for your responses. I will check the IIS group.

Carl

 

[Chris Alton [MSFT]]

If you put in your credentials at the prompt does it work or does it just
fail 3 times and you get the 401?

If it works then you just need to modify your IE settings so it
automatically logs on to sites that are not in the "intranet" zone. If the
web site is in another zone Internet, Trusted Sites etc then it will pop up
the login prompt everytime. (Why it does that with trusted sites I'm not
sure).

To change this follow these steps:
1. open up IE go to Tools->Internet Options->Security Tab
2. Select the zone that the web site/server is showing up in (or add it to
trusted sites first so you only modify that zone since doing this on the
Internet zone can be a security risk)
3. Click "Custom Level"
4. Go to the very last item in the list "User Authentication->Logon"
5. Click the "Automatic logon with current user name and password".
6. Click OK

That should get it working for you.

If it doesn't work let me know and I'll see what I can figure out for you.

 

[Vagabond Software]

Thanks Chris.

This is actually a publicly available website, such as microsoft.com. There
should be no authentication for anonymous users. We have three application
servers in the cluster. Two are working fine and the third is presenting
this logon prompt. Anthony Jones was correct in that accessing the machine
by name would use the "Local Intranet" zone to pass domain credentials to
the box.

Again, this is not an Intranet site. We are talking about a public Internet
website here. Any suggestions would be greatly appreciated.

I've also just found out that the machine was renamed during the move! It
was a subtle change. A dash ("-") was removed from the machine name. The
application servers were and remain joined to the domain.

Regards,

Carl

 

[Anthony Jones]

Thanks Chris.

This is actually a publicly available website, such as microsoft.com. There
should be no authentication for anonymous users. We have three application
servers in the cluster. Two are working fine and the third is presenting
this logon prompt. Anthony Jones was correct in that accessing the machine
by name would use the "Local Intranet" zone to pass domain credentials to
the box.

Again, this is not an Intranet site. We are talking about a public Internet
website here. Any suggestions would be greatly appreciated.

I've also just found out that the machine was renamed during the move! It
was a subtle change. A dash ("-") was removed from the machine name. The
application servers were and remain joined to the domain.

Your IUSR_<machinename> account needs to have access to the files you wish
to serve. In the process of the move this has been damaged. Perhaps someone
has attempted to rename this user account.

 

[Vagabond Software]

Thanks Anthony. That was exactly the problem. Everything appears to be
working now.

Thanks all for your help.

Regards,

Carl

 

[Chris Alton [MSFT]]

The main reason I believed it was an Authentication issue was the 401.1
usually file based issues like your issue with the IUSR_Machine account
spit out a 401.3 error not a 401.1.

401.3 is access denied due to ACL on resource whereas 401.1 is logon failed.

Glad we did get it sorted out though and good luck.