Home / server / Questions / 265746
In Process
minameismud
Asked: 2011-05-03 05:24:53 +0800 CST

IIS7 + ASP.NET Impersonation + Windows Auth = 401 Unauthorized

  • 772

I've got an asp.net app that relies on Request.LogonUserIdentity.Name to be populated with the username of the person logged onto the client machine. In IIS7 on the webserver, I've disabled Anonymous Authentication and enabled ASP.NET Impersonation & Windows Authentication. (I'm logging onto the webserver with a service account, not my own.) When I try to browse to the site from my desktop, I get prompted for my network credentials which fail - 401 Unauthorized.... I'm using .Net 3.5 sp Whatever. The server is running IIS 7.5.

Application Pool:

  • Managed Pipeline Mode: Classic
  • Load User Profile: false
  • Identity: ApplicationPoolIdentity

Web Application:

  • .NET Auth Rules: Allow All Users
  • Enabled auth types: ASP.NET Impersonation, Windows

File-system Folder permissions:

  • Creator Owner: Special Permissions
  • Machine\IUsr: Read & Execute, List folder contents, Read
  • Machine\System: Full Control
  • My Domain Account: Full Control
  • Machine\Administrators: Full Control
  • Machine\Users: Read & Execute, List folder contents, Read
  • Machine\IIS_IUSRS: Read & Execute, List folder contents, Read
  • Trusted Installer: Full Control

I've tried adding Machine\Everyone and Domain\Domain Users with Read and also with Full Control and I'm still being blocked.

asp.net iis-7.5 windows-authentication impersonation

2 Answers

  1. This is most likely from the loopbackcheck when testing locally on the server. I bet it works if you test it from another server.

    Turn off the loopback check using method 2 from this page: http://support.microsoft.com/kb/896861. A reboot isn't required for your change.

    As for permissions, with impersonation enabled it will need the authenticated user, plus the app pool user will be needed some some things. So, the key permissions to use are SYSTEM, Administrators, "IIS APPPOOL\{apppoolname}" and a group for the possible users that will authenticate.

    • 1

  2. In IIS 7.5 when you turn on Windows authentication, there is also an option for providers. By default, Negotiate is 1st preference and then NTLM. I've seen issues where negotiate fails because of other setup related issues and then presents user with credential challenge. I've been able to work around this by making NTLM the first provider.

    You can also view the site traffic with fiddler to see what's happening when you get challenged for credentials.

    • 0