Login to start a new topic

Enabling fiddler breaks IIS with Kernel-mode authentication

 I am trying to troubleshoot a problem with a third party web app, and the vendor refuses to investigate without Fiddler logs from a workstation.

The app is hosted locally on IIS in our network, and is using HTTPS issued by our domain CA. We are using NTLM and Negotiate authentication with kernel-mode auth enabled.

If I enable Fiddler decryption, external HTTPS sites work and decrypt without issue, but this site (and another internal IIS site with a similar configuration) prompt endlessly for credentials and/or return 401 unauthorized. I have searched and searched but can't find anything explaining how to solve this problem. The application pool is running under a domain service account per the vendor's setup directions.

I do see the NTLM and Negotiate headers in the request but something is clearly not right.

I am a sysadmin but I am not very experienced with IIS or web development so it may be something very obvious that I'm missing. Any help would be appreciated.

Hey Astadnick,

I assume that you are running a NET application with IIS under localhost. If that assumption is correct, you would probably need to configure the NET application via the web.config file (see this article) and/or try the listed localhost solutions. 

Not quite, this is a production internal server, access is from remote workstations over HTTPS signed by our domain CA.

The site is bound to the hostname in the SAN field of the cert (https://app.corp.mycompany.com). My normal account does not have login rights to the server locally so I can't easily test localhost either way.
Login to start a new topic