How to Troubleshoot 401.2 HTTP Errors with Reverse Proxy Web Publishing (261689)



The information in this article applies to:

  • Microsoft Proxy Server 2.0
  • Microsoft Internet Information Server 4.0

This article was previously published under Q261689

SUMMARY

This article explains how to troubleshoot an "HTTP 401.2" error message when you are using Proxy Server 2.0's Web Publishing feature. Web Publishing is also referred to as "reverse proxying" in the Proxy Server 2.0 documentation.

MORE INFORMATION

If you are using Proxy Server 2.0 Web Publishing to host an internal Internet site, external Internet clients may receive the following HTTP error:
401.2 Unauthorized: Logon Failed due to server configuration.
This error indicates that the credentials passed to the server do not match the credentials required to log on to the server. This is usually caused by not sending the proper WWW-Authenticate header field.

Please contact the Web server's administrator to verify that you have permission to access to requested resource.
The causes for the error include, but may not be limited to:
  • IUSR accounts which are out of synchronization or incorrect.
  • Incorrect, or different Directory Security configurations of both the Proxy Server and the Internal Web Server.

To Correct the IUSR Accounts on the Internal Web Server

  1. On the Internal Web Server, open the Internet Service Manager from Start, Programs, Windows NT 4.0 Option Pack, Microsoft Internet Information Server, and then Internet Service Manager.
  2. Start User Manager from the Microsoft Management Console (MMC) toolbar (an icon on the IIS Management Console toolbar) or User Manager for Domains in the Administrative Tools group.
  3. Double-click the IUSR_servername account.
  4. Clear the Password box, and then type in a new password. Be sure to remember the password.
  5. Type the password again in the Confirm Password box.
  6. Close User Manager.
  7. Click the plus sign beside Internet Information Server to expand the list.
  8. Click the plus sign beside the server name to expand the list.
  9. Right-click the Default Web Site, and then click Properties.
  10. Click the Directory Security tab.
  11. Click Edit next to Anonymous Access and Authentication Control.
  12. Be sure the Allow Anonymous Access check box is selected.
  13. Click Edit next to Allow Anonymous Access.
  14. Uncheck the Enable Automatic Password Synchronization check box.
  15. Clear the Password box, and then check the Enable Automatic Password Synchronization check box.
  16. Click OK three times to return to the MMC.
  17. Right-click the Default Web Site, and then select Stop.
  18. After the Default Web Site stops, right-click the Default Web Site, and then select Start.

To Correct Directory Security Configurations for Both Internal Web Server and Proxy Server

  1. On the Proxy Server computer, open the Internet Service Manager from Start, Programs, Windows NT 4.0 Option Pack, Microsoft Internet Information Server, and then Internet Service Manager.
  2. Click the plus sign beside Internet Information Server to expand the list.
  3. Click the plus sign beside the server name to expand the list.
  4. Right-click the Default Web Site, and then click Properties.
  5. Click the Directory Security tab.
  6. Click Edit next to Anonymous Access and Authentication Control.
  7. Be sure at least Anonymous Access is selected. In most configurations, both Anonymous Access and Windows NT Challenge/Response should be selected.
  8. Right-click the Default Web Site, and then select Stop.
  9. Once the Default Web Site stops, right-click the Default Web Site, and then select Start.
  10. Repeat steps 1 through 9 for the internal Web Server.
Important: Be sure that the same Directory Security controls are selected on both the internal Web Server, and the Proxy Server. It may be necessary to also confirm and correct any discrepancies between the two servers through the WWW Service Master Properties.

To Access the WWW Service Master Properties

  1. Open the Internet Service Manager from Start, Programs, Windows NT 4.0 Option Pack, Microsoft Internet Information Server, and then Internet Service Manager.
  2. Click the plus sign beside Internet Information Server to expand the list.
  3. Right-click the Server name icon, and then click Properties.
  4. Select WWW Service from the Master Properties drop-down list, and then click Edit.
  5. Click the Directory Security tab.
  6. Click Edit next to Anonymous Access and Authentication Control.
  7. Select the type of authentication you wish to use. In most cases the Anonymous and Windows NT Challenge/Response check boxes should be selected.
  8. Click OK on each dialog to close the WWW Service Master Properties.
  9. If presented with the Inheritance Overrides dialog box, choose the child nodes that you want to inherit the new settings.NOTE: You can also click Select All in the Inheritance Overrides dialog, and then manually change the Directory Security settings for only the child nodes that you want to be different.

  10. Right-click the Default Web Site, and then click Stop.
  11. Once the Default Web Site stops, right-click the Default Web Site, and then click Start.
  12. Repeat steps 1 through 11 for the internal Web Server.

REFERENCES

196312 Reverse Proxying Does Not Work with a Single Network Card

184030 Using Server Proxy with SSL in Proxy Server 2.0

176921 Internet Publishing on Proxy Server 2.0 Fails


Modification Type:MinorLast Reviewed:1/25/2006
Keywords:kbenv kbinfo kbtshoot KB261689