Strange IIS Windows Authentication behavior
Solution 1
I was creating a new MVC 4 ASP.NET web application and ran into the exact same error as you (Error 401.2) when I tried to build my project for the first time.
I changed the options in IIS Manager on my development machine to disable anonymous authentication and enable windows authentication, but I was still getting the 401.2 error.
I did a little research and found out that I could change the properties of my project and resolve this error.
Solution Explorer:
- Select your Project
- Press F4 to show the Properties Window
Properties Window:
- Change 'Anonymous Authentication' to 'Disabled'
- Change 'Windows Authentication' to 'Enabled'
I hope this helps other people if it doesn't solve your specific problem. As long as you have the same settings on your Web Server, it should work as intended.
Solution 2
In the web.config on Server2, do you have: authentication mode="Windows"?
Solution 3
Since IUSR_*
is the default anonymous user and anonymous access is disabled in IIS, it sounds like anonymous access is enabled in your web.config. Please make sure the authorization
section in your web.config looks similar to this:
<authorization>
<deny users="?" /> <!-- Reject anonymous users -->
<allow users="*" /> <!-- Accept all other users (or replace * with a list of users) -->
</authorization>
Solution 4
I had the same issue with IIS7 on a virtual server, my login was directing to a folder called "content". In my web config there was a section "location" containing Forms authenthication settings. However I was setting it up for Windows authentication, so when IIS hit my content folder it didn't know which authentication to use, so returned the error. After removing this from the config it worked fine:
<location path="content">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
Thanks
Comments
-
AJ. almost 2 years
I have an ASP.NET 3.5 web service (old school SOAP, not WCF) running on two servers set up identically in IIS 6.0. The Authentication/Access control is set up as follows:
- Enable Anonymous Access = False
- Integrated Windows authentication = True
- Digest authentication for Windows domain servers = False
- Basic authentication = False
- .NET Passport authentication = False
In one of the web methods, I need to get the Identity of the requesting user and validate that it's in a certain Active Directory group. So, the first line of code in the web method is this:
var requestUser = HttpContext.Current.Request.LogonUserIdentity.Name;
For some reason the results are different between the two servers. Server1 works as expected, producing
domain\UserId
. However, Server2 producesServer2\IUSR_SERVER2
. Has anyone experienced this before? I did find this question, but I'm pretty sure it doesn't apply here as client and both servers are all in the same domain.Additional Info
Based on Heinzi's response, I added the following to the
<system.web>
section in both web.config files:<authorization> <deny users="?" /> <allow users="*" /> </authorization>
Now, Server1 behaves the same, as in, it behaves as I want it to. However, Server2 throws a 401.2: Unauthorized error:
Server Error in '/' Application.
Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3053
-
AJ. over 14 yearsYes, both web.configs have this.
-
AJ. over 14 yearsNeither web.config had an
authorization
section. I added exactly what you posted to both. Now, Server1 behaves the same (correctly), and Server2 throws a 401.2 Unauthorized exception. I'm going to update the original post with this information. -
ConsultUtah over 14 yearsFew more things to check: 1. Verify that "Enable Anonymous Access" is false on the virtual directory and any internal directories. 2. Any other web.configs in internal directories?
-
Can Sahin over 14 yearsThanks for the update. In that case, Windows authentication fails for some reason. Since Server2 cannot fall back to anonymous access anymore, it throws an error. Is your client configured correctly? Have a look at this document: msdn.microsoft.com/en-us/library/bfazk0tb.aspx
-
AJ. over 14 yearsI found a few virtual directories on Server2 that had Anonymous Access enabled, and corrected that issue. I also checked any web.config files in internal directories, and all were set to "Windows" with no other overriding factors. The problem persists. Server2's web service is sharing an Application Pool with other websites that allow anonymous access. Could this be part of the problem?
-
AJ. over 14 yearsYes, the client is configured correctly. Actually, these are "test" servers, so I'm using the web services test form on both servers. But the actual client is impersonating a domain user and the same results occur.
-
AJ. over 14 yearsI changed the Application Pool setup so that it is identical to Server1, and it's still happening, so I guess that's out too.
-
Can Sahin over 14 yearsThanks. :-) Hmm... the clients and server2 are in the same domain, right?
-
AJ. over 14 yearsThat's correct. All clients, server1, and server2 are in the same domain.
-
Can Sahin over 14 yearsQuite a challenging problem; and I think it does not have anything to do with the fact that you're running a SOAP web service (which can be tested easily: just add a "simple" aspx page to your web project). One more try: Does IE recognize server2 as "local intranet zone"? (Should be visible in the right-hand corner of the status bar.)
-
AJ. over 14 yearsYea, both servers show up as "Local Intranet." I think at this point I'm going to try and wipe the entire IIS configuration on Server2 and start over. Thanks again for your help.
-
StuartLC over 12 yearsPossibly inherited config differences from root webconfig, machine.config or other?
-
Lefty over 10 yearsWorked for me, thanks. Strange how it isn't set like that from the beginning when you select the 'Intranet Site' MVC template which uses Windows authentication.
-
KDT about 10 yearsAwesome thanks. Something so simple tho... Agree with Lefty - would've made sense if the settings were automatically adjusted with Intranet site.