I'm installing a web application on an IIS 7.5 server (Win Server 2008 R2) and having problems with windows authentication. I've done this install dozens of times but this one has me stuck, so any suggestions very welcome.


Only Administrators can connect to my website via Windows Authentication, but I want all users to be authenticated. An admin can connect both from the machine via localhost and from another workstation. Other users are prompted for credentials instead of being authenticated automatically, and are denied access. This is despite giving Everyone Full Control of the web directory.

Detailed scenario:

  • Web application created, using an Application Pool running as NETWORK SERVICE. Windows Authentication enabled, all others disabled. Windows Authentication has kernel mode =true (i.e. the IIS default), and Providers are ordered NTLM, Negotiate (although I tried the other way around too). All logins are on the same domain, and the web server is on that domain.

  • App is installed at C:\MyApplication\App\

  • When logged in to the server (as an admin account) I can navigate to http://localhost/MyApp and am authenticated automatically.

  • When logged in to the server (as an admin account) I navigate to http://webserver.full.domain.com/MyApp and am prompted for credentials. After entering them 3 times I get 401.1 Unauthorized page.

  • When logged in to a workstation as a regular user account and I navigate to http://webserver/MyApp I'm prompted for credentials 3 times and then shown an Access Denied message.

  • When logged in to a workstation as the admin account that works when on the server I can also navigate to http://webserver/MyApp and am automatically authenticated. Logging in with other accounts doesn't work. This seems particularly weird to me, suggesting that it's just about permissions ... yet permissions seem fine?!

  • There are no Failures logged to the Security event log, even with detailed Kerberos logging enabled as per this article.

  • The SPNs appear to be set up correctly, in that I used "setspn -L servername" from another machine and saw two entries HOST/servername and HOST/servername.full.domain.com.

  • There's another app on the server that runs as NETWORK SERVICE, uses Anonymous Authentication in IIS, then uses SQL Integrated Security to connect to SQL Server. It's not using impersonation therefore connects to SQL Server as the machine identity DOMAIN\SERVER$. This works fine. I mention this as it suggests the machine doesn't have fundamental problems on the domain, since its identity is accepted by the SQL Server.

  • I have given NETWORK SERVICE Full Control to the web server folder where the application is (C:\MyApplication\). I've given Authenticated Users Read/List/Execute permission. Internet Explorer from workstations correctly identifies http://webserver/MyApp as in the Intranet Zone

  • Internet Explorer has Windows Authentication enabled.

  • I also tried creating another Virtual Directory to C:\MyApplication\test, with a single file in it test.html, also with Windows Authentication only enabled and also with appropriate permissions. Same symptoms, but I get a 401.2 Unauthorized instead of 401.1.

  • The server didn't have the IIS Role installed initially so I added that. I forgot to select 'Windows Authentication' the first time through so added this Role Service when I got to the point of trying to turn on Windows Authentication for my Application.

  • When I initially installed the IIS Role and navigated to http://localhost the Default App Pool stopped and I was shown a server failure message. Switching the Default App Pool to run as Network Service resolved this problem. I now wonder if this meant there were other problems on the server that could be causing my authentication issues. e.g. this hotfix, although when running as NETWORK SERVICE that shouldn't affect me.

  • Restarted the server and retested, just in case. No luck.

  • Created a test file c:\inetpub\wwwroot\testwwwroot\test.html, set Windows Authentication only on the Web Site and tried to access it from a workstation. Same symptoms. Therefore it's a problemt that applies to wwwroot as well as other folders.

  • Gave Everyone Full Control to the folder and retested, still no access.

  • Gave the end user Full Control to the folder and retested, still no access.

  • From IE put the site into Trusted Sites (instead of Intranet Zone) and retested, no luck. Removed so it's once again Intranet Zone.

  • Changed IE settings for the Intranet Zone to "Automatic logon with username & password", still no access.

  • Removed Negotiate as an option so it would force NTLM only, still no access.

  • Tested from workstation using http://<ipaddress>/Myapp instead of server name. Prompted for credentials (expected) but prompted 3 times when entering correct details and then no access.

  • Tried adding Network Service as a member of IIS_IUSRS group (no particular reason why this might help), still no access.

  • Changed the Default App Pool's identity from NETWORK SERVICE back to ApplicationPoolIdentity. Navigated to http://localhost from server and got Server Error. In the event log were the following messages:

ERROR: Application pool DefaultAppPool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.

WARNING: The identity of application pool DefaultAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

WARNING: Application pool DefaultAppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

  • Setting the identity back to NETWORK SERVICE resolved the above problem. But I do wonder if this is related.

  • I used F12 dev tools to see request/response headers: The server was sending WWW-Authenticate: Negotiate and WWW-Authenticate: NTLM when testing from the workstation. IE wasn't sending anything WWW-Authenticate related in the Request headers. When doing the same test from IE on the server (where it does authenticate correctly) the Response Header was WWW-Authenticate: Negotiate <then a long securitytoken like oRswGaADCg....>

  • I've compared the applicationHost.config file from the server with my local one and don't see any glaring issues. For example the WindowsAuthenticationModule is listed, so it's not like this problem.

I'm pretty stuck on this one...

Any suggestions on what I should try or look at to troubleshoot further greatly appreciated.

(Also posted on IIS forums here)

Problem solved. The client had created the Computer account in the wrong OU: it was in the Computers OU instead of Servers. Probably this meant it got some GPO settings that blocked access from non-admin accounts ... or something along those lines.

I'll try to get hold of gpresult.exe output before & after the fix to determine exactly what policy caused this.

For anyone troubleshooting similar problems I recommend this blog post. It didn't solve the issue for me, but refers to various useful things for looking into Kerberos issues.

I noticed a similar issue after upgrading server from .NET 4.5 to .NET 4.6.

After upgrading .NET on the server, all my sites in IIS that were working now stopped working with this 401.2 error about unauthorized access ...blah blah.

"What gives! - they were working 20 minutes ago."

After looking in IIS7 I noticed that only "Anonymous Authentication" was now enabled instead of formally being disabled and "Windows Authentication" was no longer enabled. Hence the problem since my sites only supported Windows Authentication.

Moral of story = Double Check authentication modes in IIS7

Question to ponder: How did the Authentication Modes in II7 all reset to the default of "Anonymous Authentication" enabled? Was it due to the upgrade of .NET 4.6?

