HTTP 401 Unauthorized Access is denied to invalid credentials on Exchange 2013 Default Website
Recently in order to fix one problem a new problem was created where after a HTTP redirect was working successfully, for some reason it stopped working on the default domain. E.g. http://mydomain.com/OWA to https://mydomain.com/OWA
The HTTPS link was working successfully yet the redirect kept on displaying HTTP 401 Unauthorized Access is denied. I spent a while troubleshooting in the end I enabled FailRequestTrace and noticed the following error in the logs: –
176. KERBAUTH_ERROR
Error
Message=”Error on CKerberosAuthenticationModule processing.”, Context=”OnAuthenticateRequest”, ErrorCode=”The operation completed successfully.
(0x0)”
This led me to investigate the Kerberos modules in IIS – so I realised that I must have enabled it on the default site – so I launched IIS Manager – Default Site – Selected Modules from the right hand pane. Found KerbAuth Module and removed it.
It started working again.
From
Note: If The KerbAuth.dll module had been loaded at the Default Web Site level this can cause OWA as well as the Exchange Management tools (EMC/EMS) not to work.
-KERBAUTH should only be registered in IIS under modules on the PowerShell Site (not at the Default Site, and not at the Server level)
-KERBAUTH should only be registered as NATIVE, not as Managed at the PowerShell Site in IIS
-KERBAUTH should only be registered directly at the PowerShell Site in IIS, not Inherited.
If the Kerbauth.dll is registered as a “Managed” module not a “Native” Module, do the following:
• Remove Kerbauth from the Powershell web site as a Managed Module
• Verify if Kerbauth.dll is in the C:/Program Files/Microsoft/Exchange/V14/BIN directory.
• In IIS go to the server level and register Kerbauth.dll using the name “Kerbauth” and the path to C:/Program Files/Microsoft/Exchange/V14/BIN/KERBAUTH.DLL
• Go back to the Server level in IIS and Remove Kerbauth.
Note: We are simply removing it from the server level, and since it is registered now, it should be available at lower levels.
• Under IIS Powershell in MODULES select Manage Native Modules, and check by Kerbauth which now should appear.
• Ran IISRESET from a Command Prompt