IIS7 + ASP.NET Impersonation + Windows Auth = 401 Unauthorized
This is most likely from the loopbackcheck when testing locally on the server. I bet it works if you test it from another server.
Turn off the loopback check using method 2 from this page: http://support.microsoft.com/kb/896861. A reboot isn't required for your change.
As for permissions, with impersonation enabled it will need the authenticated user, plus the app pool user will be needed some some things. So, the key permissions to use are SYSTEM, Administrators, "IIS APPPOOL\{apppoolname}" and a group for the possible users that will authenticate.
minameismud
Updated on September 18, 2022Comments
-
minameismud over 1 year
I've got an asp.net app that relies on
Request.LogonUserIdentity.Nameto be populated with the username of the person logged onto the client machine. In IIS7 on the webserver, I've disabledAnonymous Authenticationand enabledASP.NET Impersonation&Windows Authentication. (I'm logging onto the webserver with a service account, not my own.) When I try to browse to the site from my desktop, I get prompted for my network credentials which fail -401 Unauthorized.... I'm using .Net 3.5 sp Whatever. The server is running IIS 7.5.Application Pool:
- Managed Pipeline Mode: Classic
- Load User Profile: false
- Identity: ApplicationPoolIdentity
Web Application:
- .NET Auth Rules: Allow All Users
- Enabled auth types: ASP.NET Impersonation, Windows
File-system Folder permissions:
- Creator Owner: Special Permissions
- Machine\IUsr: Read & Execute, List folder contents, Read
- Machine\System: Full Control
- My Domain Account: Full Control
- Machine\Administrators: Full Control
- Machine\Users: Read & Execute, List folder contents, Read
- Machine\IIS_IUSRS: Read & Execute, List folder contents, Read
- Trusted Installer: Full Control
I've tried adding
Machine\Everyone andDomain\Domain Userswith Read and also with Full Control and I'm still being blocked.-
Admin almost 13 yearscan you look at the servers security event log or IIS log and see what user account is in the logon event / log record ? -
Admin almost 13 yearswhen you said the user account is in the security log, was the status success or failure ?
-
minameismud almost 13 years"An account was successfully logged on." The values under the "Subject" header are blank or null; logon type = 3; values under "New Logon" header are my information.
-
Admin almost 13 yearsthis means you have logon rights to the machine, but the web server turns you down. so i`m guessing that the user permissions for iis folders are amiss. theres a good kb here that deals with exactly this problem, i hope it helps.
-
minameismud almost 13 yearsUnfortunately, that link appears to only contain information for IIS6. I still looked it over and attempted to re-apply permissions to the folder under inetpub\wwwroot. Still getting the 401.
-
Admin almost 13 yearsdoes your app go get data from a database on another machine (not the web server machine)?
-
minameismud almost 13 yearsYes, mssql 2008, but that's via a sql login. It also pulls data from MOSS 2007, but the error would be different (seen plenty of those).