Windows Authentication Issues - HTTP 500 error

Product: PowerShell Universal
Version: 2.11.1

When I have Windows Authentication enabled, I keep receiving an HTTP 500 error in the browser. I have followed the instructions related to this and have not had any success.

I have setup the service account with the proper permissions and have set SPNs (see screenshots).

I have set the Windows authentication to enabled in the appsettings.json file as well.

However, when i browse to the URL, I receive HTTP ERROR 500 with an unhandled exception in the log file.

2022-06-14 10:02:46.092 -05:00 [ERR] An exception occurred while processing the authentication request.
System.InvalidOperationException: An anonymous request was received in between authentication handshake requests.
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
2022-06-14 10:02:46.092 -05:00 [ERR] Connection id "0HMIE2O4UMBTL", Request id "0HMIE2O4UMBTL:00000005": An unhandled exception was thrown by the application.
System.InvalidOperationException: An anonymous request was received in between authentication handshake requests.
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

I do not know for sure what I have missed and the only information I can find regarding the above error message is about enabling SPNs, which I believe I have done correctly.

Please let me know what else I should try to get this working.

Thanks!

After a lot of digging around, I found that Kestrel does not seem to support binding to a hostname/real url but only to IP addresses with ports. Albeit, 7 years old, it still seems to be accurate.

Even though I was setting https://psuniversal.domain.com:5001 in the Url setting in appsettings.json, it was binding to https://[::]:5001 per the log. I discovered if I set it to https://10.0.0.100:5001, the log would show it binding to that IP successfully. This seems to have been making the SPN request follow the hostname of the server, rather than utilizing the web URL hostname like how IIS works.

Overall, I have resolved the issue with a bit of a hacky work around, by utilizing Failover Clustering to create a single node role that contains a client access point resource with a new IP address/Computer Object/DNS name so that I could set up an SPN with that hostname instead. I had to utilize this method because the server Iā€™m using hosts several sites, one of which was already using the spn for the hostname of the server.

All of that to just to say, it was a self-made issue, with a hacky workaround that will do until I can get our developer to fix some of his websites.

1 Like