Over the past days I have been involved in a critical issue related to a Dynamics AX 2009 WCF service that used windows authentication on a Windows server 2008 box (IIS 7.0).
When trying to browse the service I was prompted for login credentials, but even though proper credentials were provided, I was not correctly authenticated (and neither was any of the clients that was supposed to consume the service) and a new login prompth just showed up. Looking in the eventviewer, in the security section, I was able to identify that a login attempt using my user account has been made and that it actually succeeded.
The funny thing – that wasn’t funny at all, was that how could it be that the eventviewer stated, that the login attempt was successfull when IIS still kept prompting me for credentials???
It somehow seemed that login credentials wasn’t properly passed on to the WCF service…
Analyzing the server setup further showed that a distributed environment had been configured. This pointed me in the direction of some Kerberos settings that hadn’t been properly configured.
The solution turned out to be quite simpel – the only thing I had to do was to disable “enable kernel-mode authentication” – this is what i did:
- In the IIS manager right click the website or application where Windows Autentication has been configured
- In the “features view” double click “autentication”. You will see a list of autentication profiles and their corresponding status.
- Right click “windows autentication” and select “advanced settings”
- Disable “enable Kernel-mode authentication”
Be carefull… As the information box states, this should only be done when using a non custom identity. In my case, the problem related to a Dynamics AX WCF service. Such a service is always configured to use a domain account identity and therefore the “Kernel-mode” could be disabled.
For some reason unknown to me, the Kerberos ticket was not properly distributed to all involved servers – and due to that I was unable to logon to the WCF service. Disabling “Kernel-mode authentication” solved that problem and clients are now able to consume the service.
Today this woraround didn’t work – apparently I was facing a new problem and I had to have a colleague assist me. Fortunately he knows some tricks:-)
With reference to this article http://support.microsoft.com/kb/926642 (method 1) solved the problem – even though that my issue was on a server 2008 box – here’s a screendump:
For further references on troubleshooting and/or configuring kerberos, please check out this post: