Unexpected 401.1 error over Windows Integrated Authentication on IIS 7.5 website

Symptoms

You have an IIS 7.5 server hosted on Windows Server 2008 R2/Windows 7 and when you try to browse to the site over Windows Integrated authentication it fails with 401.1 like below:

image

Module WindowsAuthenticationModule

Notification AuthenticateRequest

Handler StaticFile

Error Code 0x80090305

[Adding the above details in text to allow it to be searched on the net]

Root cause

The issue happens in a special case wherein we have:

a. Kernel-mode authentication already enabled at the Server level and,

b. We go ahead and disable Kernel-mode authentication at the Web site level. 

This happens irrespective of NTLM or Kerberos being used as the authentication protocol for the web request. You will see the above error code 0x80090305 in the error page.

This happens because we just changed the authentication from kernel mode to user mode for the website. User mode does not have the authentication package initialized for the website and http.sys will send pre-auth request thinking site still needs kernel mode authentication. Restarting IIS will ensure authentication package is initialized correctly in the user mode for the website and http.sys should not send pre-auth requests anymore. In another words http.sys would not do authentication for the website anymore.

Resolution

To resolve this issue we need to restart W3SVC service as below from the command prompt:

> net stop w3svc

> net start w3svc

Or simply run IISRESET.

*Remember recycling application pool won’t resolve the issue. It’s the WWW service that has to be restarted.

*Credit for the findings goes to Puneet Gupta