14

I have a very simple site with only static files in IIS 7 on Windows Server 2008 SP2.

When I try to access any static file I get a 500 error. If I rename an html file to have an aspx extension it works fine.

The site also works fine when using the built in identity for the application pool. The problem occurs when I switch to using a custom account for the application pool. I have tried using both local and domain accounts to run the application pool under.

I have given full control to these accounts on the website directory and files.

Turning on tracing reveals this error message:
ModuleName: IIS Web Core
Notification: 2
HttpStatus: 500
HttpReason: Internal Server Error
HttpSubStatus: 0
ErrorCode: 2147943746
ConfigExceptionInfo
Notification: AUTHENTICATE_REQUEST
ErrorCode: Either a required impersonation level was not provided, or the provided impersonation level is invalid. (0x80070542)

I have not had any luck with googling the error code.

Brownie
  • 341
  • 1
  • 2
  • 8

5 Answers5

10

Prolem Solved: The IIS_IUSRS group was missing from the "impersonate a client after authentication" in the local security policy.

Brownie
  • 341
  • 1
  • 2
  • 8
  • Worked for me thanks! But in addition here is how to do it step by step for dummies like me: Start > Local > Security Policy > Local Policies > User rights Assignment > Impersonate a client after authentication > Add User or Group... > Select IIS_IUSRS – Wowe Oct 08 '18 at 06:39
  • But why? Why does the Application pool identity require "Impersonate a client after authentication" ? – Mick Feb 16 '22 at 06:50
2

In my environment, due to group policy settings, I wasn't allowed to change "impersonate a client after authentication" setting nor to add the app pool user local admins so I went looking for why the impersonation was happening at all. By default anonymous authentication was set to use the IUSR user so the app pool user was using trying to impersonate it.

I've changed Anonymous user identity to "Application pool identity" so there's no need for impersonation. Anonymous authentication as application pool identity

1

you can try to change application pool for this virtual application and give for this new pool personal permissions

to give permissions for specific pool just give permissions for user "IIS APPPOOL\YOUR_POOL_NAME"

MNK_real
  • 31
  • 6
0

Windows Server 2016, IIS 10.

This problem can be solved when I give the custom account administrator rights. But I am afraid that the global administrator will remove the administrator rights of this account. So I have to find other solutions.

I can't add "impersonate a client after authentication". image description

I also try Petar Weigand's method, But it didn't work for me.

After a lot of attempts, I find add the Custom account to "Connect As" Can solve the problem. image description

0

In addition to Brownie's answer (it is correct, you have to give this right to the app pool account); if IIS sends you this error when you call it using a WCF client (+ Windows-authentication is enabled in IIS), it may be because the flags of the NTLM token given to IIS does not allow it to impersonate the caller.

Modify the config of your client from this (the default):

<behavior name="NewBehavior">
  <clientCredentials>
    <windows allowedImpersonationLevel="Identification" />
  </clientCredentials>
</behavior>

To this:

<behavior name="NewBehavior">
  <clientCredentials>
    <windows allowedImpersonationLevel="Impersonation" />
  </clientCredentials>
</behavior>

Check this article for details: Impersonation and Delegation in WCF

Matthieu
  • 323
  • 3
  • 7