2

I've got an asp.net app that relies on Request.LogonUserIdentity.Name to be populated with the username of the person logged onto the client machine. In IIS7 on the webserver, I've disabled Anonymous Authentication and enabled ASP.NET Impersonation & Windows Authentication. (I'm logging onto the webserver with a service account, not my own.) When I try to browse to the site from my desktop, I get prompted for my network credentials which fail - 401 Unauthorized.... I'm using .Net 3.5 sp Whatever. The server is running IIS 7.5.

Application Pool:

  • Managed Pipeline Mode: Classic
  • Load User Profile: false
  • Identity: ApplicationPoolIdentity

Web Application:

  • .NET Auth Rules: Allow All Users
  • Enabled auth types: ASP.NET Impersonation, Windows

File-system Folder permissions:

  • Creator Owner: Special Permissions
  • Machine\IUsr: Read & Execute, List folder contents, Read
  • Machine\System: Full Control
  • My Domain Account: Full Control
  • Machine\Administrators: Full Control
  • Machine\Users: Read & Execute, List folder contents, Read
  • Machine\IIS_IUSRS: Read & Execute, List folder contents, Read
  • Trusted Installer: Full Control

I've tried adding Machine\Everyone and Domain\Domain Users with Read and also with Full Control and I'm still being blocked.

Community
  • 1
minameismud
  • 61
  • 1
  • 2
  • can you look at the servers security event log or IIS log and see what user account is in the logon event / log record ? –  May 02 '11 at 14:14
  • When I try to hit the site and enter my domain credentials, my domain account is recorded in the logon/logoff events. Is it that I essentially need to grant the entire network logon rights to the machine? – minameismud May 02 '11 at 14:20
  • when you said the user account is in the security log, was the status success or failure ? –  May 02 '11 at 14:36
  • "An account was successfully logged on." The values under the "Subject" header are blank or null; logon type = 3; values under "New Logon" header are my information. – minameismud May 02 '11 at 14:40
  • this means you have logon rights to the machine, but the web server turns you down. so i`m guessing that the user permissions for iis folders are amiss. theres a good kb [here](http://support.microsoft.com/kb/907273) that deals with exactly this problem, i hope it helps. –  May 02 '11 at 14:53
  • Unfortunately, that link appears to only contain information for IIS6. I still looked it over and attempted to re-apply permissions to the folder under inetpub\wwwroot. Still getting the 401. – minameismud May 02 '11 at 16:24
  • does your app go get data from a database on another machine (not the web server machine)? –  May 03 '11 at 07:34
  • Yes, mssql 2008, but that's via a sql login. It also pulls data from MOSS 2007, but the error would be different (seen plenty of those). – minameismud May 03 '11 at 10:32

2 Answers2

1

This is most likely from the loopbackcheck when testing locally on the server. I bet it works if you test it from another server.

Turn off the loopback check using method 2 from this page: http://support.microsoft.com/kb/896861. A reboot isn't required for your change.

As for permissions, with impersonation enabled it will need the authenticated user, plus the app pool user will be needed some some things. So, the key permissions to use are SYSTEM, Administrators, "IIS APPPOOL\{apppoolname}" and a group for the possible users that will authenticate.

Scott Forsyth
  • 16,339
  • 3
  • 36
  • 55
0

In IIS 7.5 when you turn on Windows authentication, there is also an option for providers. By default, Negotiate is 1st preference and then NTLM. I've seen issues where negotiate fails because of other setup related issues and then presents user with credential challenge. I've been able to work around this by making NTLM the first provider.

You can also view the site traffic with fiddler to see what's happening when you get challenged for credentials.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
mservidio
  • 101
  • 1