Here is the scenario:
- .NET Web Api running on an IIS Server (8.5 – although the problem was recreated on 7.5 too)
- v4.0 Integrated Application Pool with a domain account identity.
- Only Windows Authentication is enabled. No anonymous access is allowed.
- Making requests to the Web Api works in the following configuration:
- Using a different domain account to the one used by the Application Pool AND
- From a different machine and using a browser or the Invoke-RestMethod PowerShell command
- Making requests to the Web Api does not work in the this configuration and results in a 401:Unauthorized error being displayed.
- Using a different domain account from the same server OR
- Using the same domain account to the one used by the Application Pool AND
- From either the same or different machine, using a browser or the Invole-RestMethod PowerShell command
The problem was that a Schedueld Job, created as a PowerShell script, was being run from the same server and the Invoke-RestMethod was generating the 401:Unauthorized error.
The solution was to set the relevant Service Principle Names for the IIS Server, but instead of doing it for the specific domain user account it was configured for the server. This included SPN’s for the computers NetBIOS name and the FQDN as well as the host name of the Web Api.