401 1 2148074248 in IIS logs behind a load balancer with multiple servers

Published Jul 01 2021 12:07 PM 1,241 Views
Microsoft

If you're receiving an unexpected 401 and IIS logs show this: 401 1 2148074248, this blog could be useful if you have this setup:

  • Windows Authentication enabled in IIS (specifically if NTLM is being used), and
  • a load balancer with multiple web servers behind it

 

This is an infrequent occurrence, but I have personally troubleshooted it a few times over the past several years. It's an odd one and can be difficult to identify especially if you cannot reproduce it on-demand or if it's intermittent. This particular issue should not occur if you have only one server, behind a load balancer or not. So if you do have multiple web servers and remove all but one and the issue goes away, there's a chance you could be experiencing this problem.

 

For this, it would be extremely helpful if internal traffic between the load balancer and web servers is unencrypted. This is to be able to find the problem more-quickly as described.

 

The first thought for me that comes to mind when I see this particular problem is that the NTLM messages are being split between multiple TCP connections. 

The overall auth flow of NTLM is described on this page, and it wouldn't hurt to understand it more deeply. In short, when a client is authenticating using NTLM, there are multiple roundtrips needed for the building of that authenticated user context to be complete.

Those multiple round-trips consist of three (3) NTLM messages that must be exchanged between client and server, in order, on the same socket and server, for NTLM to be successful.

 

By "on the same socket and server" above I mean that the client must be communicating with the same server and the client-side IP:port combination must remain the same as the NTLM messages are being passed (remember in a load-balanced situation, the direct client of the web server is typically the load balancer as that is where the TCP connections originate from in most scenarios). In other words, if the load balancer opened port 50000 to communicate with a web server and Windows Auth/NTLM is needed, the load balancer must not break the NTLM messages up between different ephemeral/dynamic ports and must remain on the same server. If those messages are broken up between different ports/TCP connections or between servers, then this is when you can see the 401 1 2148074248 issue.

401.1 == logon failure.
The 2148074248 code translates to:
SEC_E_INVALID_TOKEN: The token supplied to the function is invalid.

 

Here's an example of what this would look like from network traces - these are real-world from a customer environment...

MattHamrick_2-1623182703930.png

 

Note this is a new TCP connection.

The initial request in frame 6109 was anonymous, so the server sent back the typical 401.2 and requsted Windows Auth. This would have logged a "401 2 5" in the IIS log. This is normal.

The second request was frame 6118, and it contained the NTLM Type-1 message (not shown). 

The second 401 in a default setup (Kernel-mode enabled) is actually sent from the HTTP.sys driver underneath IIS, and that 401 contains the NTLM Type-2 message, and is normal. If kernel-mode is disabled then you would see a 401 1 2148074254 in the IIS log, which would also be normal here.

The problem with the communication above is the TCP FIN sent from the client in frame 6121. This would be unexpected, as what we would expect to see here is a third HTTP request that would contain the NTLM Type-3 message to complete the auth flow.

What actually happened here is the load balancer had sent the Type-3 message to a new server, instead of sending it on the original (now-closed) socket:

MattHamrick_3-1623183081776.png

Notice all the IPs are different here: the internal interface of the load balancer is different, along with the server-side IP (it was a different server). 

It is on this second server where the 401 1 2148074248 is observed. And, since this 401 would be unexpected from an end-client perspective (as far as the client is concerned it was using the same sockets to communicate with the load balancer), a credential prompt appeared on the client browser. That particular error code is sent back by Local Security Authority (LSA) code and occurs because the context is only partial - since it wasn't generated on this server (or even on the same socket since that's what NTLM needs here) it failed.

It's not shown here, but when digging into the NTLM messages in the HTTP requests/responses, we could see that server-2 was indeed receiving NTLM challenges sent to the client by server-1.

 

The problem here was the load balancer was not using session affinity/persistence/etc. What's interesting is that the load balancer was configured with persistence based on IPs but the reasons for why it wasn't honoring that all the time are unknown. 

 

This particular issue was resolved when the load balancer was switched to a cookie-based persistence mechanism.

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2428459%22%20slang%3D%22en-US%22%3E401%201%202148074248%20in%20IIS%20logs%20behind%20a%20load%20balancer%20with%20multiple%20servers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2428459%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you're%20receiving%20an%20unexpected%20401%20and%20IIS%20logs%20show%20this%3A%26nbsp%3B401%201%202148074248%2C%20this%20blog%20could%20be%20useful%20if%20you%20have%20this%20setup%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWindows%20Authentication%20enabled%20in%20IIS%20(specifically%20if%20NTLM%20is%20being%20used)%2C%20%3CSTRONG%3Eand%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3Ea%20load%20balancer%20with%20multiple%20web%20servers%20behind%20it%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20an%20infrequent%20occurrence%2C%20but%20I%20have%20personally%20troubleshooted%20it%20a%20few%20times%20over%20the%20past%20several%20years.%20It's%20an%20odd%20one%20and%20can%20be%20difficult%20to%20identify%20especially%20if%20you%20cannot%20reproduce%20it%20on-demand%20or%20if%20it's%20intermittent.%20This%20particular%20issue%20should%20not%20occur%20if%20you%20have%20only%20one%20server%2C%20behind%20a%20load%20balancer%20or%20not.%20So%20if%20you%20do%20have%20multiple%20web%20servers%20and%20remove%20all%20but%20one%20and%20the%20issue%20goes%20away%2C%20there's%20a%20chance%20you%20could%20be%20experiencing%20this%20problem.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20this%2C%20it%20would%20be%20extremely%20helpful%20if%20internal%20traffic%20between%20the%20load%20balancer%20and%20web%20servers%20is%20unencrypted.%20This%20is%20to%20be%20able%20to%20find%20the%20problem%20more-quickly%20as%20described.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20first%20thought%20for%20me%20that%20comes%20to%20mind%20when%20I%20see%20this%20particular%20problem%20is%20that%20the%20NTLM%20messages%20are%20being%20split%20between%20multiple%20TCP%20connections.%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20overall%20auth%20flow%20of%20NTLM%20is%20described%20on%20%3CA%20title%3D%22Windows%20Authentication%20auth%20flow%20in%20IIS%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fiis-support-blog%2Fwindows-authentication-http-request-flow-in-iis%2Fba-p%2F324645%22%20target%3D%22_blank%22%3Ethis%20page%3C%2FA%3E%2C%20and%20it%20wouldn't%20hurt%20to%20understand%20it%20more%20deeply.%20In%20short%2C%20when%20a%20client%20is%20authenticating%20using%20NTLM%2C%20there%20are%20multiple%20roundtrips%20needed%20for%20the%20building%20of%20that%20authenticated%20user%20context%20to%20be%20complete.%3C%2FP%3E%0A%3CP%3EThose%20multiple%20round-trips%20consist%20of%20three%20(3)%20NTLM%20messages%20that%20must%20be%20exchanged%20between%20client%20and%20server%2C%20in%20order%2C%20%3CSTRONG%3Eon%20the%20same%20socket%20and%20server%3C%2FSTRONG%3E%2C%20for%20NTLM%20to%20be%20successful.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20%22on%20the%20same%20socket%20and%20server%22%20above%20I%20mean%20that%20the%20client%20must%20be%20communicating%20with%20the%20same%20server%20and%20the%20client-side%20IP%3Aport%20combination%20must%20remain%20the%20same%20as%20the%20NTLM%20messages%20are%20being%20passed%20(remember%20in%20a%20load-balanced%20situation%2C%20the%20direct%20client%20of%20the%20web%20server%20is%20typically%20the%20load%20balancer%20as%20that%20is%20where%20the%20TCP%20connections%20originate%20from%20in%20most%20scenarios).%20In%20other%20words%2C%20if%20the%20load%20balancer%20opened%20port%2050000%20to%20communicate%20with%20a%20web%20server%20and%20Windows%20Auth%2FNTLM%20is%20needed%2C%20the%20load%20balancer%20must%20not%20break%20the%20NTLM%20messages%20up%20between%20different%20ephemeral%2Fdynamic%20ports%20and%20must%20remain%20on%20the%20same%20server.%20If%20those%20messages%20are%20broken%20up%20between%20different%20ports%2FTCP%20connections%20or%20between%20servers%2C%20then%20this%20is%20when%20you%20can%20see%20the%20401%201%26nbsp%3B2148074248%20issue.%3C%2FP%3E%0A%3CP%3E401.1%20%3D%3D%20logon%20failure.%3CBR%20%2F%3EThe%20%3CSTRONG%3E2148074248%3C%2FSTRONG%3E%20code%20translates%20to%3A%3CBR%20%2F%3E%3CEM%3ESEC_E_INVALID_TOKEN%3A%20The%20token%20supplied%20to%20the%20function%20is%20invalid.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20an%20example%20of%20what%20this%20would%20look%20like%20from%20network%20traces%20-%20these%20are%20real-world%20from%20a%20customer%20environment...%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MattHamrick_2-1623182703930.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287226iBA50B92206E470BD%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22MattHamrick_2-1623182703930.png%22%20alt%3D%22MattHamrick_2-1623182703930.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20this%20is%20a%20new%20TCP%20connection.%3C%2FP%3E%0A%3CP%3EThe%20initial%20request%20in%20frame%206109%20was%20anonymous%2C%20so%20the%20server%20sent%20back%20the%20typical%20401.2%20and%20requsted%20Windows%20Auth.%20This%20would%20have%20logged%20a%20%22401%202%205%22%20in%20the%20IIS%20log.%20This%20is%20normal.%3C%2FP%3E%0A%3CP%3EThe%20second%20request%20was%20frame%206118%2C%20and%20it%20contained%20the%20NTLM%20Type-1%20message%20(not%20shown).%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20second%20401%20in%20a%20default%20setup%20(Kernel-mode%20enabled)%20is%20actually%20sent%20from%20the%20HTTP.sys%20driver%20underneath%20IIS%2C%20and%20that%20401%20contains%20the%20NTLM%20Type-2%20message%2C%20and%20is%20normal.%20If%20kernel-mode%20is%20disabled%20then%20you%20would%20see%20a%20401%201%26nbsp%3B2148074254%20in%20the%20IIS%20log%2C%20which%20would%20also%20be%20normal%20here.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20problem%20with%20the%20communication%20above%20is%20the%20TCP%20FIN%20sent%20from%20the%20client%20in%20frame%206121%3C%2FSTRONG%3E.%20This%20would%20be%20unexpected%2C%20as%20what%20we%20would%20expect%20to%20see%20here%20is%20a%20third%20HTTP%20request%20that%20would%20contain%20the%20NTLM%20Type-3%20message%20to%20complete%20the%20auth%20flow.%3C%2FP%3E%0A%3CP%3EWhat%20actually%20happened%20here%20is%20the%20load%20balancer%20had%20sent%20the%20Type-3%20message%20to%20a%26nbsp%3B%3CSTRONG%3Enew%20server%2C%3C%2FSTRONG%3E%20instead%20of%20sending%20it%20on%20the%20original%20(now-closed)%20socket%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MattHamrick_3-1623183081776.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287228i8E591979A52BFD0C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22MattHamrick_3-1623183081776.png%22%20alt%3D%22MattHamrick_3-1623183081776.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ENotice%20all%20the%20IPs%20are%20different%20here%3A%20the%20internal%20interface%20of%20the%20load%20balancer%20is%20different%2C%20along%20with%20the%20server-side%20IP%20(it%20was%20a%20different%20server).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIt%20is%20on%20this%20second%20server%20where%20the%20401%201%26nbsp%3B2148074248%20is%20observed.%3C%2FSTRONG%3E%20And%2C%20since%20this%20401%20would%20be%20unexpected%20from%20an%20end-client%20perspective%20(as%20far%20as%20the%20client%20is%20concerned%20it%20was%20using%20the%20same%20sockets%20to%20communicate%20with%20the%20load%20balancer)%2C%20a%20credential%20prompt%20appeared%20on%20the%20client%20browser.%20That%20particular%20error%20code%20is%20sent%20back%20by%20Local%20Security%20Authority%20(LSA)%20code%20and%20occurs%20because%20the%20context%20is%20only%20partial%20-%20since%20it%20wasn't%20generated%20on%20this%20server%20(or%20even%20on%20the%20same%20socket%20since%20that's%20what%20NTLM%20needs%20here)%20it%20failed.%3C%2FP%3E%0A%3CP%3EIt's%20not%20shown%20here%2C%20but%20when%20digging%20into%20the%20NTLM%20messages%20in%20the%20HTTP%20requests%2Fresponses%2C%20we%20could%20see%20that%20server-2%20was%20indeed%20receiving%20NTLM%20challenges%20sent%20to%20the%20client%20by%20server-1.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20problem%20here%20was%20the%20load%20balancer%20was%20not%20using%20session%20affinity%2Fpersistence%2Fetc.%20What's%20interesting%20is%20that%20the%20load%20balancer%20%3CEM%3Ewas%3C%2FEM%3E%20configured%20with%20persistence%20based%20on%20IPs%20but%20the%20reasons%20for%20why%20it%20wasn't%20honoring%20that%20all%20the%20time%20are%20unknown.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20particular%20issue%20was%20resolved%20when%20the%20load%20balancer%20was%20switched%20to%20a%20cookie-based%20persistence%20mechanism.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2428459%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you're%20receiving%20an%20unexpected%20401%20and%20IIS%20logs%20show%20this%3A%26nbsp%3B401%201%202148074248%2C%20this%20blog%20could%20be%20useful%20if%20you%20have%20this%20setup%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWindows%20Authentication%20enabled%20in%20IIS%20(specifically%20if%20NTLM%20is%20being%20used)%2C%20%3CSTRONG%3Eand%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3Ea%20load%20balancer%20with%20multiple%20web%20servers%20behind%20it%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Jul 01 2021 12:07 PM
Updated by: