I'm getting the above error when attempting to access one of the geneva framework test sites - PassiveRedirectBasedClaimsAwareWebApp - using Windows Integrated authentication. I can access it successfully in a virtual machine environment that I've got set up but attempting to run the same thing in a different environment is failing.

I've attempted to make everything the same - all the browser settings (such as user authentication) and all the authentication components installed (crucially windows authentication) and checked that the correct modules are there.

I'm running Windows Server 2008 with Geneva Server Beta 2. I get successfully redirected to the FederationPassive login page where I select that I want to use windows authentication and then when it attempts to get to the IntegratedSignin page I get the error. Full error information below:

Error Summary

HTTP Error 401.2 - Unauthorized

You are not authorized to view this page due to invalid authentication headers.

Most likely causes:

• No authentication protocol (including anonymous) is selected in IIS.
• Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
• Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
• The Web server is not configured for anonymous access and a required authorization header was not received.
• The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.

Things you can try:

• Verify the authentication setting for the resource and then try requesting the resource using that authentication method.
• Verify that the client browser supports Integrated authentication.
• Verify that the request is not going through a proxy when Integrated authentication is used.
• Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section.
• Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here .

Links and More Information

This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client.

View more information »

Microsoft Knowledge Base Articles:

• 907273
• 253667

Did you try these things? If not, did the sources with additional info have any helpful clues?

If you tried these things, a trace file and/or event log messages would be helpful in diagnosing this. If you can check those and post them if you don't see anything, someone on here will probably be able to figure out the issue.

---

Regards,

Travis Spencer
http://travisspencer.com

I've already checked the authentication protocol in IIS. Tried it with just anonymous (which is as it is in the virtual machine where I got this working) and also with windows authentication.

How do I "check the authentication method for the resource" and "verify which authentication method the client used"?

Thanks,

Ibs

Also I am currently struggling to enable logging in the FederationPassive site. I've got the following in the web config (basically just uncommented what was there plus supplied a path for the log file) and I've grantedfull accesson c:\temp to Network Service. No log file is being produced.

<system.diagnostics>
<sources>
<!-- To enable tracing on a particular component, uncomment the desired section below. Then uncomment
the shared listener named "xml" and the Microsoft.IdentityServer.SourceSwitch in the switches element.
-->

<!-- Federation passive related tracing -->
<source name="Microsoft.IdentityServer.Shared.WSFederation" switchName="Microsoft.IdentityServer.SourceSwitch" switchType="System.Diagnostics.SourceSwitch" >
<listeners>
<add name="xml" />
</listeners>
</source>

</sources>

<!-- This is the shared listener for all of the tracing. All of the sources write to this listener.
If you want a more fine-grained listener, one can be added to the listeners element in each source above, which
can then output to different files if desired. After uncommenting this, put the absolute path of the trace file
ie c:\temp\TraceData.svclog. Be sure that the identity of the service can write to the file and directory -->
<sharedListeners>
<add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="c:\temp\TraceData.svclog" />
</sharedListeners>

<switches>
<!-- Uncomment this switch to use with your trace sources. You can add more and configure
them per source by editing the value attribute. For each source above, there is a switchName
attribute that links the source to a switch in this collection. You can use the same switch
with every source, or you can create a different switch for source for more control if thats
desired. -->
<add name="Microsoft.IdentityServer.SourceSwitch" value="Information" />

</switches>
<trace autoflush="true" ></trace>
</system.diagnostics>

The IIS log from the machine where things work looks like this:

2009-08-25 09:03:02 ::1 GET /PassiveRedirectBasedClaimsAwareWebApp/ - 443 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 302 0 0 2231
2009-08-25 09:03:02 ::1 GET /FederationPassive wa=wsignin1.0&wtrealm=https%3a%2f%2flocalhost%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fdefault.aspx&wct=2009-08-25T09%3a03%3a02Z 443 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 301 0 0 558
2009-08-25 09:03:06 ::1 GET /FederationPassive/ wa=wsignin1.0&wtrealm=https%3a%2f%2flocalhost%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fdefault.aspx&wct=2009-08-25T09%3a03%3a02Z 443 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 200 0 0 3620
2009-08-25 09:03:06 ::1 GET /FederationPassive/MasterPages/StyleSheet.css - 443 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 304 0 0 19
2009-08-25 09:03:11 ::1 POST /FederationPassive/SignIn.aspx wa=wsignin1.0&wtrealm=https%3a%2f%2flocalhost%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fdefault.aspx&wct=2009-08-25T09%3a03%3a02Z 443 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 302 0 0 61
2009-08-25 09:03:11 ::1 GET /FederationPassive/auth/integrated/IntegratedSignIn.aspx wa=wsignin1.0&wtrealm=https%3a%2f%2flocalhost%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fdefault.aspx&wct=2009-08-25T09%3a03%3a02Z 443 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 401 2 5 77
2009-08-25 09:03:11 ::1 GET /FederationPassive/auth/integrated/IntegratedSignIn.aspx wa=wsignin1.0&wtrealm=https%3a%2f%2flocalhost%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fdefault.aspx&wct=2009-08-25T09%3a03%3a02Z 443 LOCALAD\Administrator ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 200 0 0 612
2009-08-25 09:03:12 127.0.0.1 POST /PassiveRedirectBasedClaimsAwareWebApp/ - 443 LOCALAD\Administrator 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 302 0 0 236
2009-08-25 09:03:12 127.0.0.1 GET /PassiveRedirectBasedClaimsAwareWebApp/default.aspx - 443 LOCALAD\Administrator 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618) 200 0 0 161


And for the machine where it isn't working it looks like this:

2009-08-25 10:45:05 fe80::5d0d:bd02:dfdb:d381%10 GET /PassiveRedirectBasedClaimsAwareWebApp/Default.aspx - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 302 0 0 0
2009-08-25 10:45:05 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive wa=wsignin1.0&wtrealm=https%3a%2f%2fcarad01.carillion.local%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fDefault.aspx&wct=2009-08-25T10%3a45%3a05Z 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 301 0 0 0
2009-08-25 10:45:05 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/ wa=wsignin1.0&wtrealm=https%3a%2f%2fcarad01.carillion.local%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fDefault.aspx&wct=2009-08-25T10%3a45%3a05Z 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 187
2009-08-25 10:45:05 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/FederationPassiveJScript.js - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 31
2009-08-25 10:45:05 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/MasterPages/StyleSheet.css - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 31
2009-08-25 10:45:05 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/App_Themes/Default/header_background.png - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 0
2009-08-25 10:45:05 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/App_Themes/Default/logoncard.png - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 31
2009-08-25 10:45:05 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/App_Themes/Default/statusheader_background.png - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 0
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 POST /FederationPassive/IPSelection.aspx wa=wsignin1.0&wtrealm=https%3a%2f%2fcarad01.carillion.local%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fDefault.aspx&wct=2009-08-25T10%3a45%3a05Z 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 0
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/MasterPages/StyleSheet.css - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 0
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/FederationPassiveJScript.js - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 0
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/App_Themes/Default/header_background.png - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 0
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/App_Themes/Default/statusheader_background.png - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 0
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/App_Themes/Default/logoncard.png - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 31
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 POST /FederationPassive/IPSelection.aspx wa=wsignin1.0&wtrealm=https%3a%2f%2fcarad01.carillion.local%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fDefault.aspx&wct=2009-08-25T10%3a45%3a05Z 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 15
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/MasterPages/StyleSheet.css - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 15
2009-08-25 10:45:08 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/App_Themes/Default/header_background.png - 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 200 0 0 0
2009-08-25 10:45:10 fe80::5d0d:bd02:dfdb:d381%10 POST /FederationPassive/SignIn.aspx wa=wsignin1.0&wtrealm=https%3a%2f%2fcarad01.carillion.local%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fDefault.aspx&wct=2009-08-25T10%3a45%3a05Z 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 302 0 0 0
2009-08-25 10:45:10 fe80::5d0d:bd02:dfdb:d381%10 GET /FederationPassive/auth/integrated/IntegratedSignIn.aspx wa=wsignin1.0&wtrealm=https%3a%2f%2fcarad01.carillion.local%2fPassiveRedirectBasedClaimsAwareWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fPassiveRedirectBasedClaimsAwareWebApp%252fDefault.aspx&wct=2009-08-25T10%3a45%3a05Z 443 - fe80::5d0d:bd02:dfdb:d381%10 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30618;+.NET+CLR+3.5.30729) 401 2 5 0