406 Error - Not acceptable / client browser does not accept the MIME Type

[Mati7777777]

Hello,
Everything is working fine locally, but the sample portal does not work remotely with an 406 error.
"The client browse does not accept the MIME Type of the requested page".
I checked with others machines / browsers / users, but same issue...
Does someone have an idea about that ?
Thanks

[thomashouston]

Hey there @Mati7777777, it may be that Kerberos isn't working. Have you verified your SPNs have been established correctly?

[Mati7777777]

Hi @thomashouston !
Sounds like all SPN & delegation is fine on my side, I did not find anything about Authentication error.
I've got 1 lab environment that working fine, and the other with the exact configuration is not.
and I don't explain the "MIME Type" error ...

[thomashouston]

Hey @Mati7777777, it does sound like there's a slight config difference between your two environments. The other thing that has caught me out in the past is ensuring that the PAM API websites app pool identity is delegated auth privileges to the Bastion domain controllers. @fimguy blogged about the issue here.

[Mati7777777]

Hey @thomashouston,
Ldap Delegation to bastion DC has been done.
The PAM API site run under a pool and the service account have delegation in place
The Sample PAM portal is running under the default app pool but it seems working on the first lab.
by the way, that's not the first time i see this error in others environment ...
do you think that IIS log /tracing will give me my information ? or maybe fiddler/wireshark traces ...

[Mati7777777]

Well apparently it is not a pam sample problem : "Invoke-RestMethod -Uri "http://pamapi:8086/api/pamresources/pamroles" -Method Get -UseBasicParsing -UseDefaultCredentials" is dropping the same error, so bypassing the pam sample pb do not resolve this. I'll dig this and get back to you.
Many thanks !

[thomashouston]

@Mati7777777, you can test the MIM PAM REST API by opening a browser and navigating to http://pamapi:8086/api/pamresources/pamroles/ - the browser should ask you if you want to download pamroles.json.

[Mati7777777]

yes that's it, remotely the download does not occur, with the error about 406 not acceptable MIME Type.
So now I need to understand why the API is not working remotely

[thomashouston]

@Mati7777777, double-check the SPNs for the account that's running the PAM REST API app pool. This is the command I use to create the app pool group managed service account:

New-ADServiceAccount -Name 'pamapiapppool' -Description 'PAM REST API Application Pool' -DisplayName 'PAM API Application Pool' -DNSHostName 'pamapiapppool.bastion.net' -Enabled $true -PrincipalsAllowedToRetrieveManagedPassword "CN=MIM Server Accounts,OU=Groups Global,$dn" -ServicePrincipalNames 'HTTP/pamapi.bastion.net','HTTP/pamapi' -OtherAttributes @{'msDS-AllowedToDelegateTo'='HTTP/pamapi.bastion.net','HTTP/pamapi','LDAP/BASABCXXX001.bastion.net','LDAP/BASABCXXX001';'userPrincipalName'='pamapiapppool@bastion.net'} -TrustedForDelegation $true

[Mati7777777]

@thomashouston many thanks ! let me have a look

[Mati7777777]

@thomashouston the API is working now (I add the msDS-AllowedToDelegateTo = HTTP/pamapi.bastion.net), so PAM API delegate to itself.
and the sample portal is working as well.
cool Many thanks ! :)

[DmitriyKim-911]

Thank you guys for solutions, that worked for me! However i am facing same issue when trying to authenticate at sample portal from Corp Domain PC. Could you please advise what could be the problem?
Thank you.