Case Study: Using ProcMon to resolve a 401 error

  • Article

This article has been written by Ambuj Nautiyal, a PFE with Microsoft Canada. In this post he talks about a typical scenario which can be easily diagnosed using the Process Monitor (ProcMon) tool.

Scenario

Recently I helped troubleshoot a HTTP server error 401 issue - which can sometimes be a nightmare to diagnose. The ASP.NET 4.0 application was hosted on IIS 7.5; the user would click on a specific page to generate a report (which used Crystal Reports controls) and was being prompted to enter credentials 3 times, followed by the 401 error.

Troubleshooting

The Fiddler tool would show something like below for the Header.

Fiddler output

The raw IIS error info is given below:

HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.

The error message also mentions the likely causes of the error:

  • The username supplied to IIS is invalid.
  • The password supplied to IIS was not typed correctly.
  • Incorrect credentials were cached by the browser.
  • IIS could not verify the identity of the username and password provided.
  • The resource is configured for Anonymous authentication, but the configured anonymous account either has an invalid password or was disabled.
  • The server is configured to deny login privileges to the authenticating user or the group in which the user is a member.

An invalid Kerberos configuration may be the cause if all of the following are true:

  • Integrated authentication was used.
  • The application pool identity is a custom account.
  • The server is a member of a domain.

Now all other requests to the web application were successful other than this particular page. We wanted to know from where this Kerberos request in between originated, so we ran Procmon to unravel the mystery. We noted there was a TCP Disconnect call in the list of operations.

TCP Disconnect event in ProcMon

Looking through the list of modules it indicated that the TCPDisconnect originated from the Crystal Engine:

ProcMon event properties

Conclusion

It turned out that ever since a newer version of Crystal Engine (13.0.4.705) was installed on this machine, they had the 401 issue. Rolling back to the previous Crystal Report Engine (13.0.3.612) resolved the problem.

We hope this gives you a perspective on how you can also use Process Monitor to troubleshoot tricky issues!

Disclaimer: the mention of 3rd party or community products in these blog posts in no way constitutes a recommendation or advice. These are my personal opinion and do not reflect any of my employer’s opinions.