This week we had an interesting issue with one of our SharePoint servers.
We have a two server farm, both servers are full servers that had been installed a couple of months ago and as far as I was aware both servers had been tested, so I was little bit surprised when the farm was tested in anger and we were getting a roughly ~20% failure rate in a process that uploads a document to SharePoint.
After a bit of digging we found that it was due to one of the SharePoint servers.
We could not even log in to any of sites hosted on the farm if we hit this server. We simply would get a 401 unauthorized error.
I know we also seem to have a load balancing issue but that's for another day.
Perhaps, unsurprisingly the logs did not show much, so I bumped them up to verbose and here's what we found:
Claims Authentication SPIisWebServiceAuthorizationManager: Using identity '0#.w|dev\svc-spadm' as the actor identity.
Topology WcfReceiveRequest: LocalAddress: 'http://sp02.dev.local:32843/934e0061c6a94255b9ab9e6f2ba45325/SearchService.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://tempuri.org/ISearchHealthMonitoringServiceApplication/GetQueryHealthMonitoringSettingsForComponents' MessageId: 'urn:uuid:f00ca305-b1d5-4454-85fa-5f83e7094518'
Monitoring Leaving Monitored Scope (ExecuteWcfServerOperation). Execution Time=154.973746663333
Monitoring Entering monitored scope (Request (GET:https://<site>)). Parent No
Logging Correlation Data Name=Request (GET:https://<site>)
Claims Authentication SPTokenCache.ReadTokenXml: Successfully read token XML ''.
Application Authentication SPApplicationAuthenticationModule: There is no Authorization header, can't try to perform application authentication.
Authentication Authorization Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0
Claims Authentication Claims Windows Sign-In: Sending 401 for request 'https://<site>' because the user is not authenticated and resource requires authentication.
Monitoring Leaving Monitored Scope (Request (GET:https://<site>)). Execution Time=3.75103539695688
Claims Authentication SPFederationAuthenticationModule.OnEndRequest: User was being redirected to authenticate.
Claims Authentication Claims Windows Sign-In: Sending 401 for request 'https://<site>' because the user is not authenticated and resource requires authentication.
Clearly, It's not able to authenticate but why? I thought that the lack of authorization header was the clue but nothing I found in Google helped me and then I sort of had a flash of inspiration and decided to check whether the site had Windows Authentication enabled.
Bingo!!!!! Windows Authentication is Disabled, no wonder nobody could log in :)
After I enabled it and restarted IIS, the second server started working :)
I didn't install SharePoint on these servers and I don't really have that much experience with SharePoint so I'm entirely sure who to blame here, our guys or Microsoft, but it seems to me that since one of the big things with Microsoft is integration with AD, it's just a bit daft that it doesn't turn Windows Authentication on for the SharePoint site by default.
Maybe it does and it's something that we did.
At any rate, hope this helps.