I have an ASP.NET MVC 5 application that uses Exchange Web Services Managed API to query data from on premise Exchange and displays the data on an intranet site hostet in IIS 8.5 on Server 2012 R2. I use Windows Authentication to secure the site.
The problem is that mobile devices (and their browsers) don't get login prompts when they open the site and instantly receive 401 Access denied errors (invalid credentials).
Here are the devices that work:
- Domain-joined Windows 8 PC with Opera/IE/Firefox (my dev machine)
- Non domain-joined Windows 7 PC with IE/Firefox
- Windows Phone 8 Emulator (on the dev machine)
Here are the devices that don't work:
- Windows 10 Mobile Phone with Edge
- Android Tablet with stock browser/Chrome/Firefox/Opera
The devices that work get the login prompt, the devices that don't work, aren't.
Configuration from IIS:
- Kernel mode enabled
- App pool runs as a domain account
- SPN is set on the machine account (http/ & http/)
- useAppPoolCredentials in applicationhost.config is set to false
- ASP.Net Impersonation is off
- Anonymous Authentication is off, Windows Authentication is on
- Providers: Negotiate, NTLM (in that specific order)
Can anybody help?
Best Answer
It seems like my configuration was ok. As it turned out, Edge on Windows 10 Mobile does not yet support Windows Authentication (oh the irony) and the browsers on the Android Tablet also did not work with Windows Authentication. So it was pretty much a premature assumption from me. I hope this still helps someone.
Solution: Test more devices and find out if the browser you are testing is supposed to work with Windows Authentication. Pro Tip: You can use Gateways like Sophos or TMG to workaround this issue, because you will be presented with a login form that internally passes the credentials via Windows Authentication, because Kerberos does not work over WAN (can't connect to DCs).