IIS Anonymous Authentication with Windows Authentication - Second request not being made

Question

Hello and good morning all,

I am currently troubleshooting an issue in a test environment that I am having trouble analyzing where the problem is.

In the Windows Server 2016 using IIS v10, I have this strange problem with one users service account that I cannot reproduce with mine or anyone else.

We all remote into the same Virtual Machine with a VPN client, using our active directory service accounts. So all of the requests are happening from within the same context environment.

The WebAPI Service being hit for "login" is also the same ingress for the service registry. The other services use Anonymous Authentication tied to their IIS Application Pool Identity users, but for everyone else we need to use Windows Authentication. This is why they Windows Authentication and Anonymous Authentication are both enabled.

When the InterceptionAttribute processes the request, we have a little logic to calculate if the request is from an Anonymous source or not. If it is and under certain conditions/constraints, we 401 the request because we want the browser to use a different Authentication Scheme. When the browser "Internet Explorer v11" receives that 401, it will try again but this time use Windows Authentication and pass in the current logged in users credentials which we need for a valid Principal / Identity object for other things.

This is working correctly so far, except there is one user having trouble getting into the web application. In a debug session, I captured the requests coming in and as expected, the first request was Anonymous as that's the first form the browser will try and use. The next EXPECTED, but not happening, is a follow up request from the 401 challenge where it then uses the Windows Authentication.

I have spent a considerable amount of time debugging this and would very much appreciate any help or insight as to what would prevent/stop/interrupt the browser from making that follow up request.

Thanks again to everyone in advance for taking the time to read and respond to this thread.

Web.config sections:

<identity impersonate="true" />
    <authorization>
      <allow users="*" />
    </authorization>
    <roleManager enabled="true" />
<validation validateIntegratedModeConfiguration="false" />
    <directoryBrowse enabled="true" />
    <security>
            <authentication>
                <windowsAuthentication enabled="true" useKernelMode="true">
                    <providers>
                        <clear />
                        <add value="NTLM" />
                        <add value="Negotiate" />
                    </providers>
                    <extendedProtection tokenChecking="Require" />
                </windowsAuthentication>
                <anonymousAuthentication enabled="true" userName="" />
            </authentication>
    </security>

Answer 1

Just wanted to report back.

After further investigation it was in fact another internal server error swallowing the 500 from an incorrect service account trying to make a request.

So everything is configured correctly and working as intended!