2

Over the weekend our Server Admin set up two virtual Windows 2008 machines with IIS installed and set them up under NLB. I came in and changed the application pool the website was running under to our domain account that has proper access to the database and the file share hosting our .NET web application Sitefinity, and changed it to .NET 4 Integrated. NLB and everything was running fine on both servers. He brought up the third server for our cluster on Tuesday and I performed the same actions.. The only difference was that I was given admin rights for the third server so I could set it up remotely instead of going to his office.

He has full control over the share and NTFS perms on \\hostname\Sitefinity and I believe I only had read access. I pointed the web site to the same \\hostname\Sitefinity\sitename share that the others were on and the authentication/authorization test settings passed. I hit the site from http://localhost (like I did successfully from the other two before trying the cluster's IP address) and I received a HTTP Error 401.3 - Unauthorized. I've verified many times that the application pool is running under the same service account.

I tried hitting just a simple test.htm.. works fine on both of the first two servers but I get the same 401.3 on the third. I copied my dev project to the local inetpub directory and re-pointed the website and that ran perfectly.

I turned on Failed Request Tracing and it acts like it's still running the local IUSR account I guess (instead of my domain account)? Here is an excerpt of the File Cache Access Start and the error from the trace:

FileName
\\hostname\sitefinity\sitename\test.htm 
 UserName
IUSR 
 DomainName
NT AUTHORITY 

----------

Successful
false 

 FileFromCache
false 

 FileAddedToCache
false 

 FileDirmoned
true 

 LastModCheckErrorIgnored
true 

 ErrorCode
2147942405 

 LastModifiedTime

 ErrorCode

Access is denied. (0x80070005)

----------

ModuleName
IIS Web Core 

 Notification
2 

 HttpStatus
401 

 HttpReason
Unauthorized 

 HttpSubStatus
3 

 ErrorCode
2147942405 

 ConfigExceptionInfo

 Notification

AUTHENTICATE_REQUEST

ErrorCode

Access is denied. (0x80070005)

----------

My personal AD account was then granted read/write perms to the share so I created a new application pool and set the site under it in case there was an issue with the application pool but no success.

I created another under my own account and it still failed. It just seems like maybe it's not trying to access the files under the account my application pools are running under although that's the only way I've done things before. I set the Physicial Path Credentials in Advanced Settings on the site to the service account and it threw a 500 error of some sort so I assume that's not the answer (and I don't have to do it on the other servers). It's like somehow I'm trying to force impersonation on the IUSR account or something?

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
Tony
  • 31
  • 4
  • So it sounds like the configuration is inconsistent. If this is a farm, have you tried a configuration sync option, like the Web Deployment Tool (MSDEPLOY)? Or examined the App Pool and Anonymous Authentication settings between each server? Clearly if they're behaving differently, something is different. – TristanK Mar 22 '12 at 21:50
  • Thank you for your suggestions, I'm really at a loss here. Just followed [these instructions](http://learn.iis.net/page.aspx/446/synchronize-iis/) to do an msdeploy push from one of the good servers to the one that's failing. It switched my application pool back so they were named the same but it didn't fix the 401.3. Just verified: All three have Anonymous and Forms authentication enabled; all three are running under app pools with an identity of ourdomain\sitefinity .NET 4.0 Integrated Pipeline. There has to be something different I just can't seem to figure out what. – Tony Mar 23 '12 at 13:30

1 Answers1

1

Wow I feel a little stupid. I noticed there were additional .net 4 app pools on the working servers but didn't Google it well enough the first time: http://msdn.microsoft.com/en-us/library/ie/k6h9cz8h.aspx

C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -i

And that was it.. In my defense the error it was throwing out seems way off base to me! :)

Tony
  • 31
  • 4