Hi,
I've got a very strange issue.
I installed Certificate Authority Web Enrollment on 2 Windows Server 2016 STD editions.
I configured it in IIS so that it uses https://pki.customer.com
In DNS I created a cname and point it to each server to test. (we'll loadbalance this with an F5 later, so i'll change it to the VIP address when tests to both servers are ok)
From most internal servers I can connect to https://pki.customer.com/certsrv/Default.asp without issues (added it to local intranet sites to prevent credential prompts)
On some however, I get prompted for credentials 3 times and then get :
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.Most likely causes:
The username supplied to IIS is invalid.
The password supplied to IIS was not typed correctly.
Incorrect credentials were cached by the browser.
IIS could not verify the identity of the username and password provided.
The resource is configured for Anonymous authentication, but the configured anonymous account either has an invalid password or was disabled.
The server is configured to deny login privileges to the authenticating user or the group in which the user is a member.
Invalid Kerberos configuration may be the cause if all of the following are true:
Integrated authentication was used.
the application pool identity is a custom account.
the server is a member of a domain.
Detailed Error Information:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ASPClassic
Error Code 0xc000006d
Requested URL https://pki.customer.com:443/certsrv/Default.asp
Physical Path C:\WINDOWS\system32\CertSrv\en-US\Default.asp
Logon Method Not yet determined
Logon User Not yet determined
Request Tracing Directory C:\inetpub\logs\FailedReqLogFiles
I can also simulate the following :
- If I point pki.customer.com to SRV1 I get the 401.1 when i connect to the site from SRV1.
- If I point pki.customer.com to SRV2 I get the 401.1 when i connect to the site from SRV2.
I already put NTLM before negotiate in the authentication settings, as I read somewhere this might have been the issue
I've got a very strange issue.
I installed Certificate Authority Web Enrollment on 2 Windows Server 2016 STD editions.
I configured it in IIS so that it uses https://pki.customer.com
In DNS I created a cname and point it to each server to test. (we'll loadbalance this with an F5 later, so i'll change it to the VIP address when tests to both servers are ok)
From most internal servers I can connect to https://pki.customer.com/certsrv/Default.asp without issues (added it to local intranet sites to prevent credential prompts)
On some however, I get prompted for credentials 3 times and then get :
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.Most likely causes:
The username supplied to IIS is invalid.
The password supplied to IIS was not typed correctly.
Incorrect credentials were cached by the browser.
IIS could not verify the identity of the username and password provided.
The resource is configured for Anonymous authentication, but the configured anonymous account either has an invalid password or was disabled.
The server is configured to deny login privileges to the authenticating user or the group in which the user is a member.
Invalid Kerberos configuration may be the cause if all of the following are true:
Integrated authentication was used.
the application pool identity is a custom account.
the server is a member of a domain.
Detailed Error Information:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ASPClassic
Error Code 0xc000006d
Requested URL https://pki.customer.com:443/certsrv/Default.asp
Physical Path C:\WINDOWS\system32\CertSrv\en-US\Default.asp
Logon Method Not yet determined
Logon User Not yet determined
Request Tracing Directory C:\inetpub\logs\FailedReqLogFiles
I can also simulate the following :
- If I point pki.customer.com to SRV1 I get the 401.1 when i connect to the site from SRV1.
- If I point pki.customer.com to SRV2 I get the 401.1 when i connect to the site from SRV2.
I already put NTLM before negotiate in the authentication settings, as I read somewhere this might have been the issue