The remote server returned an error: (401) Unauthorized.

Here is the scenario:

  • .NET Web Api running on an IIS Server (8.5 – although the problem was recreated on 7.5 too)
  • v4.0 Integrated Application Pool with a domain account identity.
  • Only Windows Authentication is enabled. No anonymous access is allowed.
  • Making requests to the Web Api  works in the following configuration:
    • Using a different domain account to the one used by the Application Pool AND
    • From a different machine and using a browser or the Invoke-RestMethod PowerShell command
  • Making requests to the Web Api does not work in the this configuration and results in a 401:Unauthorized error being displayed.
    • Using a different domain account from the same server OR
    • Using the same domain account to the one used by the Application Pool AND
    • From either the same or different machine, using a browser or the Invole-RestMethod PowerShell command

The problem was that a Schedueld Job, created as a PowerShell script, was being run from the same server and the Invoke-RestMethod was generating the 401:Unauthorized error.

The solution was to set the relevant Service Principle Names for the IIS Server, but instead of doing it for the specific domain user account it was configured for the server. This included SPN’s for the computers NetBIOS name and the FQDN as well as the host name of the Web Api.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s