Expand my Community achievements bar.

AEM Dispatcher on IIS 10 with Windows Authentication NTLM - authentication problem

Avatar

Level 1

Hello Everyone,
I have strange problem with AEM Dispatcher running on Windows Server 2019 on IIS 10 with Windows Authentication turned on.

When AEM Dispatcher is configured to cache static files, the website can be accessed using Chrome, IE, Edge from Windows. It doesn't work using Firefox. Windows Authentication keeps asking about credentials and loads only start.html without static files. IIS gives response code 401.2 for static files stoted on server's disk. Additionally it doesn't work using any web browser from Linux / Mac OS.

When dispatcher is configure to does not cache files the website can be accessed using all of mentioned browsers either from Windows and Linux / MacOS. Authentication is over NTLM using Windows Authentication.

 

Technical details:

- Website configuration on IIS:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
            </rules>
        </rewrite>
        <serverRuntime authenticatedUserOverride="UseWorkerProcessUser" />
        <security>
            <authentication>
                <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="false">
                    <extendedProtection tokenChecking="Require" />
                    <providers>
                        <clear />
                        <add value="Negotiate" />
                        <add value="NTLM" />
                    </providers>
                </windowsAuthentication>
            </authentication>
        </security>
        <caching enabled="true" enableKernelCache="true" />
    </system.webServer>
</configuration>

- Dispatcher version: dispatcher-iis-windows-x64-ssl1.1-4.3.3
- NTFS permissions are configured accorging do AEM documentation : app pool identity has Modify permissions on application home directory and Read & Execute on folder in which are Dispatcher handler (disp_iis.dll) located, additional configuration also in comply with documentation 
- Client trying to access the website is not a member of a domain, it uses NTLM to authenticate
- Any changes in Firefox about: config provided in Firefox documentation doesn't help. Additionally if cache is disabled in Dispatcher it works, so it probably is not a problem with browser config
- When in Windows Authentication there is only NTLM provider and Dispatcher cache is enabled, Windows Authentication keeps asking about credentials and gives 401.2
- Communication is over NTLMv2 but I've also tried using NTLMv1 and it doesn't matter
- I've tried to disable useKernelMode and Extended Protection - it doesn't make difference
- In AEM Logs there is only request for start.htlm logged when trying to reach website, it looks like another requests doesn't pass through Windows Authentication

 

Have anyone of you had similar problem or have idea how to resolve it?
Thank you in advance.

1 Reply

Avatar

Level 1

I finally found solution to resolve the problem.
I described it HERE