401.2 Error Windows Authentication

Question

I have an intranet site deployed to IIS in Windows Server 2008r2.

I would like to use AD authentication. Currently, the site is only running on my development VM which is NOT joined to the a domain.

Within InetMgr I have set "Anonymous Authentication" to "Disabled" and "Windows Authentication" to "Enabled" at both the "Default Web Site" level and the application into which my website is deployed. Enabled Providers are set as Negotiate and NTLM.

I have configured the site to run in an application pool for which I have allocated to run under the local account "scv.BizTalk". This account has full access to the local folder that contains the website.

On browsing to the site, I am challenged for credentials and the receive a 401.2 error.

In the event log I see the following:

Event code: 4007 
Event message: URL authorization failed for the request. 
Event time: 18/12/2015 14:58:42 
Event time (UTC): 18/12/2015 14:58:42 
Event ID: fdcfe3ec19ef498ca0c0d66ffca3e961 
Event sequence: 2 
Event occurrence: 1 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/1/ROOT/EsbPortal-1-130949242820806218 
    Trust level: Full 
    Application Virtual Path: /EsbPortal 
    Application Path: C:\BizTalkersTFS\TVS\TVS.ESB.BamPortal\TVS.ESB.BamPortal.Website\ 
    Machine name: TVS-QAN0CEQNRJC 

Process information: 
    Process ID: 15256 
    Process name: w3wp.exe 
    Account name: TVS-QAN0CEQNRJC\svc.biztalk 

Request information: 
    Request URL: http://localhost/EsbPortal 
    Request path: /EsbPortal 
    User host address: ::1 
    User: TVS-QAN0CEQNRJC\Administrator 
    Is authenticated: True 
    Authentication Type: Negotiate 
    Thread account name: TVS-QAN0CEQNRJC\svc.biztalk 

Custom event details:

In the IIS log I see the following:

2015-12-18 14:58:03 ::1 GET /EsbPortal - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36 401 0 0 2045
2015-12-18 14:58:42 ::1 GET /EsbPortal - 80 TVS-QAN0CEQNRJC\Administrator ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36 401 0 0 16
2015-12-18 15:02:28 ::1 GET /favicon.ico - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36 404 0 2 214
2015-12-18 15:02:29 ::1 GET /EsbPortal - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36 401 0 0 408

Could anyone please advise what I've missed in my configuration? Perhaps the fact that my dev VM is not joined to a domain is causing the problem but I don't think this should be the case. I think the client should be able to authenticate using a local account?

Answer 1

From this doc you are right it shouldn't matter that you are not on the domain.

https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication

The element defines configuration settings for the Internet Information Services (IIS) 7 Windows authentication module. You can use Windows authentication when your IIS 7 server runs on a corporate network that is using Microsoft Active Directory service domain identities or other Windows accounts to identify users. Because of this, you can use Windows authentication whether or not your server is a member of an Active Directory domain.

Did you assign the local administrator or which ever account you are trying to connect with to the permissions for the site(s)? In IIS select the site -> Authorization Rules. Specify who and what type of access.