Geeks With Blogs

News View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn
Michael Stephenson keeping your feet on premise while your heads in the cloud


We were trying to implement a delegation scenario similar to the one in the POC (Web Services using Delegation).  While implementing this we came across the problem where we seemed to not be passing the clients credentials.  We constantly got the IIS 401 Unauthorized return code.




In this example we got some of the following symptoms:


  1. In the IIS Log of the back end service there would be no credential specified.
  2. When calling the back end service locally on the machine where it sits it seemed to work but not when called from another machine.


Troubleshooting Tips

I found that the easiest way to help get this right was to firstly focus on getting the IIS and AD setup correct before starting to use your code.  I placed a simple asp page in the backend servers virtual directory and wanted to browse to that from the other machine.  Doing this would show I could delegate my credentials fine from one machine to another.



The problem was caused because I did not have this setup correctly in AD and IIS.  Basically I had the application pool running as a Network Service local account.  To get this working I took the following steps.


  1. Have a domain account which you plan to run the IIS Application Pool as.  This will need to be in groups such as IIS_WPG
  2. Register the SPN for the HTTP service on the back end server against the domain account which will be running the back end application pool. 

(Eg:  SetSpn -a HTTP/<MachineName> <Service User> ). 

  1. In AD setup delegation for the service user running your middle tier application pool to be able to delegate to the SPN you have previously setup.


The following diagram shows where these changes relate to the architecture:




Points To Notes

The following are a couple of points to note incase they are not explained clearly enough above:


  • The network service account worked okay when you are calling on the same box but when we were delegating across machines the back end service needs to run in an application pool with runs as a domain account
  • When registering the SPN it is the HTTP service and should be registered against the domain account not the machine object in AD.
Posted on Tuesday, February 6, 2007 10:07 PM .net 2 , Kerberos Adventures | Back to top

Comments on this post: Kerberos Adventures - Problem: 401 Unauthorised - User equals null

# re: Kerberos Adventures - Problem: 401 Unauthorised - User equals null
Requesting Gravatar...
Hi Michael,

Good afternoon. I would like to be in touch with you. I'm working hard during the last weeks trying to resolve an scenario like this, but using BizTalk Server as integration middleware (i.e. .NET client --> BizTalk Server --> Backend Web Service).

As you recommended here in this post, I developed a simple IIS WCF service that calls directly to the backend web service in order to test all the Kerberos Delegation stuffs (Active Directory, IIS Domain Account, etc.). It works fine!

Then, I tried using BizTalk as the Paolo Salvatori's article describes. I noticed that you post in his article some time ago and you mentioned that you make it works!

Do you remember if you need to configure something else beside what Paolo described?

Thanks in advance,
Diego Martínez

Left by Diego Martinez on Dec 21, 2011 8:42 AM

# re: Kerberos Adventures - Problem: 401 Unauthorised - User equals null
Requesting Gravatar...
if the string was not a valid date then i wanted to return the min date value.
Felicitaciones de Navidad 2016
Frases de Navidad 2016T6YRF7T YIGT
Left by DIPIKA on Dec 16, 2016 10:09 PM

# re: Kerberos Adventures - Problem: 401 Unauthorised - User equals null
Requesting Gravatar...
Left by mobdro tv app for pc on May 12, 2017 7:12 PM

Your comment:
 (will show your gravatar)

Copyright © Michael Stephenson | Powered by: