We have a 3rd party application (Backup Exec) that is attempting to authenticate to EWS to restore mail messages. When this authentication attempt occurs, we receive:
2015-08-07 17:24:27 192.168.1.12 POST /autodiscover/autodiscover.svc &CorrelationID=<empty>;&ClientId=0AMDHUEOTQGHHW9AXUG&cafeReqId=4e0a2e70-f4f1-4a81-8164-50be9ad8c6a9; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 676 46
2015-08-07 17:24:28 192.168.1.12 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=UAPYDCATUUMXQKYEKW&cafeReqId=c2f9eb68-96f5-4736-a047-e6afc0e7fa69; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 586 15
2015-08-07 17:24:29 192.168.1.12 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&ClientId=OZPXTJLLGEAQTOVRXPA&cafeReqId=5c22c9a5-3e44-4896-9580-e5bbae73d65d; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 442 31
2015-08-07 17:24:29 192.168.1.12 POST /ews/exchange.asmx &CorrelationID=<empty>;&ClientId=OZPXTJLLGEAQTOVRXPA&cafeReqId=15d45309-c344-4de3-aa14-3ba762e38255; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 346 0
2015-08-07 17:24:30 192.168.1.12 POST /autodiscover/autodiscover.svc &CorrelationID=<empty>;&ClientId=FGRVVMTEASUKWKL9YG&cafeReqId=952780a4-f71d-466e-8290-43f1367ab686; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 676 15
2015-08-07 17:24:30 192.168.1.12 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=KBNYSHVKIDFSBFSSNQ&cafeReqId=22e4f164-0c8b-4ab0-9766-8783343158d4; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 586 15
2015-08-07 17:24:30 192.168.1.12 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&ClientId=ADEIDLJUGBWXQLVIPW&cafeReqId=f5d1da87-8cdd-4e73-8ba8-ef3ed0ec1d70; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 442 0
2015-08-07 17:24:30 192.168.1.12 POST /ews/exchange.asmx &CorrelationID=<empty>;&ClientId=ADEIDLJUGBWXQLVIPW&cafeReqId=f2ab22d5-50d7-4836-b60a-4340ff5b7dc6; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 346 0
2015-08-07 17:24:31 192.168.1.12 POST /autodiscover/autodiscover.svc &CorrelationID=<empty>;&ClientId=XUDXVRUEEQABVWJJXYQ&cafeReqId=8eb92621-f026-403e-b3d5-a05dce3b3e8f; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 676 0
2015-08-07 17:24:31 192.168.1.12 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=ZYPOPMPUWD9CKPZHCZPG&cafeReqId=982d86b6-a034-48b6-9b28-cfbbbd34ff7a; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 586 0
2015-08-07 17:24:32 192.168.1.12 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&ClientId=YGUBKB0GFQD09CA&cafeReqId=2588d160-f50e-49fe-aa89-59e5301c29e9; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 442 15
2015-08-07 17:24:32 192.168.1.12 POST /ews/exchange.asmx &CorrelationID=<empty>;&ClientId=YGUBKB0GFQD09CA&cafeReqId=45cfc065-b166-428c-9dd8-f394c7884ba1; 443 - 192.168.1.12 ExchangeServicesClient/15.00.0516.014 - 401 0 0 346 0
I know from past experience that a 401 1 0 0 0 error would be an issue with user authentication, usually related to Kerberos or NTLM credentials or configuration. Per the failed request tracing, it just looks like it checks for anonymous authentication,
then stops.
35. -GENERAL_SET_RESPONSE_HEADER
HeaderName | Set-Cookie |
HeaderValue | ClientId=OZPXTJLLGEAQTOVRXPA; expires=Sat, 06-Aug-2016 17:24:29 GMT; path=/; HttpOnly |
Replace | false |
119. -GENERAL_FLUSH_RESPONSE_START
0 ms
Informational
120. -GENERAL_RESPONSE_HEADERS
Headers | Server: Microsoft-IIS/8.5 request-id: 5c22c9a5-3e44-4896-9580-e5bbae73d65d Set-Cookie: ClientId=OZPXTJLLGEAQTOVRXPA; expires=Sat, 06-Aug-2016 17:24:29 GMT; path=/; HttpOnly WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET X-FEServer:
SPEXCH01 |
0 ms
Informational
121. -GENERAL_FLUSH_RESPONSE_END
BytesSent | 375 |
ErrorCode | The operation completed successfully. (0x0) |
77. -MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName | AnonymousRequestFilterModule |
Notification | AUTHENTICATE_REQUEST |
HttpStatus | 401 |
HttpReason | Anonymous Request Disallowed |
HttpSubStatus | 0 |
ErrorCode | The operation completed successfully. (0x0 |
For the second 401 response, we see:
Warning
75. -MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName | AnonymousRequestFilterModule |
Notification | AUTHENTICATE_REQUEST |
HttpStatus | 401 |
HttpReason | Anonymous Request Disallowed |
HttpSubStatus | 0 |
ErrorCode | The operation completed successfully. (0x0) |
ConfigExceptionInfo | |
What's strange is that at no point, after anonymous authentication fails, does it attempt any type of windows authentication, it just fails immediately.
The provider order configured in Windows Authentication is NTLM, then Negotitate. The customer has their Outlook Anyware clients forced to use NTLM, as seen in their ECP configuration, and these clients do authenticate to IIS correctly. I'm not quite understanding
why authentication attempt would stop completely on the disabled anonymous authentication and never attempt other methods. Any thoughts on how to further diagnose this would be appreciated.