401 - Unauthorized access error

1,164 views
Skip to first unread message

Bharathy Mohan

unread,
Feb 17, 2012, 5:53:21 PM2/17/12
to us...@shibboleth.net

Hi,

I recently installed latest SP 2.4.3 win 64 on a sandbox and the testing went well. However when we implemented the same on a stage Windows 2008 (IIS 7.5) server some users are facing the below error and I don’t see anything logged in the log file. This happens after they logon to the Idp and when Idp post the information. In some cases this happens even before showing the Idp. The below URL was displayed in the IE when this error was displayed. Please advise.

 

URL 1:

https://ucastage82.sumtotalsystems.com/Shibboleth.sso/Login?SAMLDS=1&target=ss%3Amem%3A9cd0b3fc3525c440b2d6106e4235b1c6ba9ad870&entityID=urn%3Amace%3Aincommon%3Aucop.edu

 

URL 2:

https://ucastage82.sumtotalsystems.com/Shibboleth.sso/SAML/POST

 

Error displayed in IE:

Server error:

401 - Unauthorized: Access is denied due to invalid credentials.

You do not have permission to view this directory or page using the credentials that you supplied.

 

Thanks,

Bharathy Mohan.

This message and any attachments thereto contain information that may be privileged, confidential or otherwise protected from disclosure and is the property of SumTotal Systems, Inc.  It is intended only for the person to whom it is addressed.  If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message, any attachments thereto or any part thereof.  If you receive this message in error, please notify me at Bhar...@sumtotalsystems.com and delete all copies of this message and attachments.   SumTotal Systems, Inc. has implemented anti-virus software on its computers and servers, however, it is the recipient's own responsibility to ensure that all attachments are scanned for viruses prior to usage.

Cantor, Scott

unread,
Feb 17, 2012, 6:46:51 PM2/17/12
to us...@shibboleth.net
On 2/17/12 5:53 PM, "Bharathy Mohan" <Bhar...@sumtotalsystems.com> wrote:
>I recently installed latest SP 2.4.3 win 64 on a sandbox and the testing
>went well. However when we implemented the same on a stage Windows 2008
>(IIS 7.5) server some users are facing the below error and I don¹t see
>anything logged in the
> log file.

There are multiple log files, but I would expect nothing to be in the log
because that's IIS rejecting the request, not the SP.

> This happens after they logon to the Idp and when Idp post the
>information. In some cases this happens even before showing the Idp. The
>below URL was displayed in the IE when this error was displayed. Please
>advise.

A 401 from IIS on the handler location like that is not coming from the
SP, as there is no authorization from within the SP on those requests.
Therefore, your IIS server is the issue, and it has to be fixed to correct
the problem. There is some kind of permission issue that aparently is
causing the problem. There's not really anything else to say about it,
it's an IIS question. There are lots of security settings in IIS for
controlling access by means of Windows security and such, and something
like that is probably involved.

The handler locations are virtual, so there's no file to fix or directory
to check, it's a server-space setting of some kind involving that URL tree.

-- Scott

--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Cantor, Scott

unread,
Feb 17, 2012, 6:54:21 PM2/17/12
to us...@shibboleth.net
>The handler locations are virtual, so there's no file to fix or directory
>to check, it's a server-space setting of some kind involving that URL
>tree.

The other thought would be the ISAPI extension permissions. Could be
that's being blocked, but that should be all or nothing. There is no
explanation for it picking some requests to let through and not others,
unless it's a true permissions matter where some clients are accessing it
with Windows credentials that it lets through and not others.

Bharathy Mohan

unread,
Feb 17, 2012, 8:46:41 PM2/17/12
to Shib Users
Thanks a lot Scott. After bit of trouble shooting we have identified and fixed the issue with one of the web farm servers missing anonymous access. Would like to include the fix here for future reference.

This issue was caused by "anonymous authentication" not being set to the application pool user option in IIS. (Open IIS > Select authentication > Click open feature > click on "anonymous authentication" and click edit > click the radio button for "application pool identity" > click ok).

Thanks,
BHARATHY MOHAN MUTHUKUTTY RENGASWAMY
Principle Consultant
SumTotal Systems, Inc.
Phone: (425) 939 6961
Mobile: (425) 444 9947
www.sumtotalsystems.com

-- Scott


This message and any attachments thereto contain information that may be privileged, confidential or otherwise protected from disclosure and is the property of SumTotal Systems, Inc. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message, any attachments thereto or any part thereof. If you receive this message in error, please notify me at Bhar...@sumtotalsystems.com<mailto:Bhar...@sumtotalsystems.com> and delete all copies of this message and attachments. SumTotal Systems, Inc. has implemented anti-virus software on its computers and servers, however, it is the recipient's own responsibility to ensure that all attachments are scanned for viruses prior to usage.

Cantor, Scott

unread,
Feb 17, 2012, 9:09:25 PM2/17/12
to Shib Users
> Thanks a lot Scott. After bit of trouble shooting we have identified and fixed
> the issue with one of the web farm servers missing anonymous access.
> Would like to include the fix here for future reference.

Thank you for following up, it helps a lot.

Reply all
Reply to author
Forward
0 new messages