Skip to main content

IIS binding limit (401.2 Windows Authentication error)

IIS can perform Windows Authentication to allow your users to a web application. This authentication process can take place on the user-mode (IIS worker process) or kernel-mode (HTTP.SYS).

If you configure IIS to perform it in kernel-mode, you can add maximum 64 bindings to your site. If you add 65 or more bindings, IIS will show “401.2 Unauthorized: Logon Failed Due to Server Configuration with No Authentication” error even though the credentials you submit are correct.

Microsoft has confirmed this limitation. A change for Windows Server 2008 R2 or Windows Server 2012 R2 is not expected.

Workaround for IIS binding limit

The workaround is that using user-mode authentication for your application which has Windows Authentication on.

In order to use user-mode authentication instead of kernel-mode:

  1. Go to IIS Manager
  2. Click on the website
  3. Double click on “Authentication
  4. Select “Advanced Settings” on the right side
  5. Uncheck “Enable Kernel-mode authentication
Disable Kernel-mode authentication to bypass IIS binding limit
Disable Kernel-mode authentication as a workaround to IIS binding limit

Afterwards, continue with these steps:

  1. Go to IIS Manager
  2. Click the website name
  3. Double click on “Configuration Editor
  4. Select “system.webServer/security/ authentcation/windowsAuthentication” from the path
  5. Set “True” for “useAppPoolCredentials
  6. Set “False” for “useKernelMode
  7. Click “Apply
Enable useAppPoolCredentials to bypass IIS binding limit
Enable useAppPoolCredentials parameter

A discussion about the binding limit on IIS forum.

If Windows Authentication is failing and you are using IBM Cognos, check this post out: Windows Authentication is failing for IBM Cognos.

Another possible cause for Windows Authentication failure is the February updates. More information: Authentication stops working after installing February 2019 updates.

Leave a Reply

Your email address will not be published. Required fields are marked *