By Splunk November 25, 2013
Everyone (just about) knows that there is a table of status codes that HTTP/1.1 defines. However, IIS gives you two more status codes in the log files. The HTTP/1.1 status is stored in sc_status (and it is automagically decoded for you in Splunk 6). There is also an extended code called sc_substatus and a Win32 error code. How can you really decode these, especially since the sc_win32_status seems to have really large numbers?
Let’s start with the sc_status and sc_substatus codes. These are normally written together as a decimal number. So, for instance, 401.1 means an sc_status of 401 and an sc_substatus of 1. The sc_status codes follow a pattern: 1xx are informational, 2xx indicate success, 3xx indicate redirection, and higher ones are for errors. Here is the big table:
| Status Code | Meaning | |
|---|---|---|
| 100 | Continue | |
| 101 | Switching Protocols | |
| 200 | Client Request Succeeeded | |
| 201 | Created | |
| 202 | Accepted | |
| 203 | Non-authoritative information | |
| 204 | No content | |
| 205 | Reset content | |
| 206 | Partial content | |
| 301 | Moved Permanently | |
| 302 | Moved Temporarily | |
| 303 | See Other | |
| 304 | Not modified | |
| 305 | Temporary redirect | |
| 400 | Bad Request | |
| 401.1 | Access Denied (Logon Failed) | |
| 401.2 | Access Denied (Logon Failed due to server configuration) | |
| 401.3 | Access Denied (Unauthorized due to ACL on resource) | |
| 401.4 | Access Denied (Authorization failed by filter) | |
| 401.5 | Access Denied (Authorization failed by ISAPI/CGI application) | |
| 401.7 | Access Denied (By IIS6 URL authorization policy on web server) | |
| 403.1 | Forbidden (Execute Access) | |
| 403.2 | Forbidden (Read Access) | |
| 403.3 | Forbidden (Write Access) | |
| 403.4 | Forbidden (SSL Required) | |
| 403.5 | Forbidden (128-bit SSL Required) | |
| 403.6 | Forbidden (IP Address Rejected) | |
| 403.7 | Forbidden (Client Certificate Required) | |
| 403.8 | Forbidden (Site access denied) | |
| 403.9 | Forbidden (Too many users) | |
| 403.10 | Forbidden (Invalid configuration) | |
| 403.11 | Forbidden (Password change) | |
| 403.12 | Forbidden (Mapper Denied Access) | |
| 403.13 | Forbidden (Client certificate revoked) | |
| 403.14 | Forbidden (Directory listing denied) | |
| 403.15 | Forbidden (Client Access Licenses exceeded) | |
| 403.16 | Forbidden (Client certificate is untrusted) | |
| 403.17 | Forbidden (Client certificate is expired) | |
| 403.18 | Forbidden (Cannot execute URL in current application pool) | |
| 403.19 | Forbidden (Cannot execute CGIs in current application pool) | |
| 403.20 | Forbidden (Passport logon failed) | |
| 404.1 | Not Found (Website not accessible on the requested port) | |
| 404.2 | Not Found (Web service extension lockdown policy) | |
| 404.3 | Not Found (MIME map policy) | |
| 404.4 | Not Found (No Handler in IIS7) | |
| 404.5 | Request Filtering (URL Sequence) | |
| 404.6 | Request Filtering (Verb) | |
| 404.7 | Request Filtering (File extension) | |
| 404.8 | Request Filtering (Hidden namespace) | |
| 404.9 | Request Filtering (Hidden File Attribute) | |
| 404.10 | Request Filtering (Header is too long) | |
| 404.11 | Request Filtering (URL double escaped) | |
| 404.12 | Request Filtering (High-bit characters) | |
| 404.13 | Request Filtering (Content length is too long) | |
| 404.14 | Request Filtering (URL is too long) | |
| 404.15 | Request Filtering (Query string is too long) | |
| 405 | Method not allowed | |
| 406 | Browser does not accept the media type | |
| 407 | Proxy authentication required | |
| 412 | Precondition failed | |
| 413 | Request entity too large | |
| 414 | Request-URI too long | |
| 415 | Unsupported media type | |
| 416 | Requested range not satisfiable | |
| 417 | Execution failed | |
| 500.12 | Web Server is restarting | |
| 500.13 | Web server is too busy | |
| 500.15 | You can’t have Global.asa | |
| 500.16 | UNC authorization credentials are incorrect | |
| 500.18 | URL authorization store cannot be opened | |
| 500.100 | Internal ASP error | |
| 501 | Header values specify a configuration that is not implemented | |
| 502.1 | CGI application timeout | |
| 502.2 | Error in CGI application | |
| 503 | Service unavailable | |
| 504 | Gateway timeout | |
| 505 | HTTP version not supported |
There are a lot of codes there. The majority of failures are in 401 (which deals with Authentication and Authorization) and 404 (which deals with server-side failures, as opposed to the content generators and filters). You can get really granular about why a particular request failed. This aids in debugging when things go wrong.
For the sc_win32_status, fortunately, there are only a few you need to know:
| Win32 Code | Meaning |
|---|---|
| 2148074252 | The logon attempt failed |
| 2148074254 | No credentials are available in the security package |
You will normally see sc_status=401 sc_win32_status=2148074254 on the first access during an integrated authentication to an IIS Web site. This will prompt the browser to pop up a window saying “Enter your credentials”. Once you submit those credentials, you will get another sc_status=401 but with sc_win32_status=2148074252 instead when those credentials cannot be verified. You can look up any other sc_win32_status codes at MSDN.
Which brings us to the question that caused me to write this blog post. Can I provide a report that shows the top failed logons into IIS with integrated authentication? Since the integrated authentication does something like this:
- Client sends “GET /” command
- Server returns sc_status=401 Authorization Required
- Client sends “GET /” with Authorization head
- Server returns sc_status=200 with the page details
One cannot just use sc_status=401 for failed logons. You have to use:
sourcetype=iis sc_status=401 sc_win32_status=2148074252