Share via


Repeated login dialogs ending with a 401 when using Basic Authentication in IIS.

You have chosen to use Basic Authentication on your web application.

You know that you have the correct username and password but still you (and/or your users) keeps getting the login window and after a few attempts to insert your credentials you will get the:

 

401 - Unauthorized: Access is denied due to invalid credentials.

You do not have permission to view this directory or page using the credentials that you supplied.

 

One common reason for this is that (by mistake or intentionally) the Basic Authentication has the “defaultLogonDomain” property set.

 

What happens when “defaultLogonDomain” is used and the user enters only their UserName is that IIS will prefix or add the domain name in “defaultLogonDomain” to the username.

If the user do not belong to that domain (a typical scenario is that the setup is that a user account is created on the IIS machine and as such do not belong to a domain, only to the machine) that user will naturally not be authorized to IIS.

This is explained and described here:

 

Configure Basic Authentication (IIS 7)

https://technet.microsoft.com/en-us/library/cc772009(v=WS.10).aspx

"Users who do not provide a domain when they log on to your site are authenticated against this domain."

 

Basic Authentication <basicAuthentication>

https://www.iis.net/configreference/system.webserver/security/authentication/basicauthentication

So, in short, if you create a user that is local to the IIS machine and you use this account with BasicAuthentication and have the “defaultLogonDomain” set, then that domain will be prefixed to the user name.

So the username will be DOMAIN\USERNAME rather than USERNAME only.

To demonstrate with an example.

Create a local user on the IIS machine. In this example: MyLocalUser

Create an application on IIS and set Basic Authentication only for that application.

 

...

<system.webServer>

            <security>

                <authentication>

                    <basicAuthentication enabled="true" />

...

 

Test the application, you should now be prompted for the username and password. This should work fine.

Now set the “defaultLogonDomain” to, for example, FakeDomain.

This can be done by selecting “Edit…” when Basic Authentication is selected in the Authentication section in IIS Manger or in the .config files.

It will look like this:

 

        <system.webServer>

            <security>

                <authentication>

                    <basicAuthentication enabled="true" realm="" defaultLogonDomain="FakeDomain" />

 

Try to login again using the username, MyLocalUser, only and you should get the 401. This is because we are now logging in as FakeDomain\MyLocalUser.

Try to login again using the machine name (or the domain the user belongs to) like so, <your machine name>\MyLocalUser, and you should get in.

 

In the IIS logs, you may have something like this for the failed login:

 

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

...

<date> <time> <serverip> GET <application>/Default.aspx - 80 MyLocalUser <clientip> <useragent> 401 1 1326 ...

...

 

We know that 401.1 = Logon failed ( https://support.microsoft.com/kb/943891/en-us ) and if checking the sc-win32-status (1326):

 

C:\Windows\system32>net helpmsg 1326

Logon failure: unknown user name or bad password.

 

So in summary.

If you are using Basic Authentication and “defaultLogonDomain” is set then the user has to be part of that domain if no domain name is used when logging in.

Or if the user is not part of the domain in the “defaultLogonDomain”, then the domain that the user belongs to needs to be prefixed (domain\username) when logging in.

 

Hope this helps.