I have created an asp.net website that is to be accessed from client browsers running on the same domain.
I've hosted the site on IIS 7.5
I have disabled Anonymous Authentication and Enabled Windows Authentication from the Features View under the IIS section.
I have added the following in the web.config for the site:
<authorization>
<allow users="group\BizTalk Application Users" />
<deny users="?" />
</authorization>
I am able to open the website from a browser when running on the server that is hosting the site. However, if I then logon to a different server in the same domain, using the same credentials, when I try to browse to the site I get an http 403 error.
After getting no joy with the above I tried disabling all security to the site. I disabled Windows Authentication and enabled anonymous authentication but still I get the same error. I checked the IIS log on the server and can see that the sub code for the 403 is 18.
I've run fiddler on the client and see the following request / response:
Request
GET http://tst-bts01/Vasanta.Int.SEOPSupportApp/Orders.aspx HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms- powerpoint, application/msword, */*
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: tst-bts01
Response
HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 29 Jan 2013 10:24:34 GMT
Content-Length: 0
I've tried changing the app pool that hosts the site. I've tried disabling the call the corporate proxy (isa server), running out of ideas now.
Can anyone tell me what I've done wrong?
Thanks, Rob.
