401 - Unauthorized: Access is denied error from web app running in IIS 7.5 using App Pool Identity

windows-server-2008 iis iis-7.5 application-pools
6,947

I also had this issue occur when I switched my IIS application pool account from NetworkService to a domain user account. I could not access the site externally (401 - Unauthorized), but on the server itself I could access the site.

The issue seems to be linked with Kerberos authentication. IIS 7 attempts to use Kerberos first and can't authenticate properly - (must require more configuration). If you disable Kerberos, you might find that you can actually access the website from an external machine:

You can perform a quick test to check if your issue relates to Kerberos authentication by:

  • In Internet explorer open Tools > Internet Options > Advanced > Security > Enable Windows Integrated Authentication - UNCHECK this option. This forces IE to authenticate with your site (or any site) using NTLM only. If you can successfully authenticate, then your issue is that Kerberos isn't fully configured.

This issue occurred for me several times when i migrated sites from IIS6 (defaults to NTLM) to 7 (defaults to Kerberos). I did not want to configure Kerberos, so instead i forced my IIS web server to use only NTLM with the following command: cscript "F:\inetpub\AdminScripts\adsutil.vbs" set w3svc/NTAuthenticationProviders "NTLM"

The default value is "Negotiate,NTLM". To check your existing value, use: cscript "F:\inetpub\AdminScripts\adsutil.vbs" get w3svc/NTAuthenticationProviders

If anyone has a deeper understanding of why Kerberos authentication fails please let me know. Also, if anyone knows how to force NTLM authentication only for specific application pools rather than the entire IIS web server please also let me know.

Share:
6,947

Related videos on Youtube

Eric Gatesman
Author by

Eric Gatesman

Updated on September 17, 2022

Comments

  • Eric Gatesman
    Eric Gatesman over 1 year

    I have an ASP.NET app on a Windows 2008 server, IIS 7.5.

    When I try to access web site, I get a login popup. If I click "cancel" I get a 401 - Unauthorized: Access is denied due to invalid credentials. The app is using Windows authentication (anonymous is disabled).
    The app has it's own app pool, running under the App Pool Identity. If I change the app pool to run under the NetworkService account, my website functions just fine.

    I'm guessing that this is just a permissions issue, but can't figure out what permissions I need to change.
    I gave the App Pool Identity permissions on the physical directory of the app, but that didn't solve the problem.

  • Eric Gatesman
    Eric Gatesman about 13 years
    I verified the permissions, paths, etc., but still didn't solve the issue. However, I was able to find a solution to the problem, but I'm somewhat confused. The App pool identity wasn't a member of the IIS_IUSRS Group. Once I added it, the site worked just fine. Here's the confusing part. I then went back and removed the app pool identify from the group and still works. Even after a server reboot. I thought when iis app pool identities were created, they were automatically in the IIS_IUSRS group. Some sites say yes, others say "at runtime."
  • Scott Forsyth
    Scott Forsyth about 13 years
    You're right that the app pool identity is automatically injected into the IIS_IUSRS group at runtime. So your situation sounds like some issue prevented that from working as it should. You may find an answer in Event Viewer, but if it works from now on, I would just consider it a rare exception. If it occurs again, watch for clues in Event Viewer and other patterns.
  • Shane
    Shane almost 12 years
    There must be some way to force an application pool to only use NTLM, because SharePoint can create app pools that do exactly that. This issue doesn't occur for a SharePoint IIS site because IIS doesn't even attempt to use Kerberos for that site only.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to disable port 80 on IIS while keeping port 443 open?
What time format does IIS record its logs? Where do I find the setting?
IIS 7.5 Windows 2008 R2 access to path denied although set permissions
Installing WindowsAuthentication breaks authentication / web.config?
What's the best way to monitor a large number of application pools in IIS7?
Configure IIS7.5 to allow calls to asmx web services
Unable to write using IIS FTP ... Keep getting Access is denied
How do IIS FTP 7.5 User accounts work?
Calling LoadLibraryEx on ISAPI filter failed (v4.0.30319)
Using Virtual Directories with FTP