-
제목
HOW TO: Troubleshoot Authentication issues in the Active Roles Web Interface -
설명
Various issues may occur when attempting to authenticate in the Active Roles Web Interface. These issues include but are not limited to:
- The Web Interface does not accept any valid credentials (keeps prompting for credentials)
- The Web Interface accepts credentials when accessing the site from the Web Interface host via localhost but not via another valid URL or alias
- The Web Interface accepts credentials via one valid URL or alias but not via another valid URL or alias
-
원인
Authentication is a process that occurs between a client machine, the IIS Server installed on the Active Roles Web Interface host, and an Active Directory Domain Controller. Active Roles receives the end result of the authentication process: authentication happens outside of Active Roles and Active Roles logging will not capture any authentication-related issues.
Some basic troubleshooting steps are possible, but complicated authentication-related issues may require a Microsoft engagement in order to be resolved.
-
해결 방안
Windows Authentication is the default authentication type configured on the Active Roles sites in IIS. As a troubleshooting step, it is recommended to disable Windows Authentication and enable Basic Authentication as this is a simpler method with fewer failure points.
- Open the Internet Information Services (IIS) Manager on the Active Roles Web Interface host
- Expand the Server Name | Sites | Default Web Site and find the problem Active Roles Web Interface site
- Open the Authentication feature
- Set Windows Authentication to Disabled and Basic Authentication to Enabled.
NOTE: Active Roles Web Interface sites have ASP.NET Impersonation set to Enabled and configured to pass Authenticated User by default. This setting is required and should not be changed.
- In an elevated command prompt, run IISRESET
- Test authentication again in the Active Roles Web Interface.
NOTE: Basic Authentication requires that a username be entered in the format domain\username
NOTE: Basic Authentication over non-SSL traffic is not secure and should not be used in a production environment.
If Basic Authentication also does not function as expected using any a valid URL or alias, this suggests that there is a username or password error. Log out of Windows and log back into Windows to confirm that the password is valid and not expired.
If Basic Authentication works while Windows Authentication does not under the same conditions, this confirms that the issue lies in the Kerberos configuration and not in the communication between the client, server, and Domain Controller.
Proceed with troubleshooting by enabling Kerberos logging on the client, IIS host, and Active Roles Administration Service host.
For assistance with interpreting Kerberos logging, please engage Microsoft for assistance.