I am hosting a site on IIS 10.0 on my local network with anonymous authentication as the only enabled option. Previously, only the computer hosting the site could login and every other computer on the network was blocked entirely.
Then, I disabled the firewall on the necessary port, but that lead to other devices on the network being prompted for credentials.
Then, I went to inetpub\wwwroot and it wasn't shared, so I shared read permissions with IIS_IUSRS and under the security tab it now has "read & execute," "List folder contents," and "read" checked.
Now other devices are still prompted for credentials AND the very computer that hosts it is denied access. Not even prompted for credentials, just given the IIS error page for 401.3.
Every resource I've found says the security tab is all I need. What am I missing? I can't just continue developing without this, as I'm developing with PHP and so I need an actual server running this.
Anonymous Auth works on IIS is by assigning a user to the incoming request. This is configured under the authentications options. If you check the applicationHost.config, you would see something like this:
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" />
</authentication>
This is the UI.
There is another factor that comes into play, which is the Application Pool Identity. To check whether this is a permissions issue. Change the application Pool identity to Local System.
If the above works, then it is definitely a permissions issue.
To investigate this you can run procmon.exe. Add a filter on RESULT for ACCESS DENIED and then proceed further.
There is a blogpost which talks about troubleshooting 401.3 errors using Procmon. Here is the link: https://blogs.msdn.microsoft.com/webtopics/2009/06/25/troubleshooting-http-401-3-errors-with-process-monitor/
Related
I hosted few applications in IIS (Version:10) with Kerberos authentication. And all web applications are configured under a single web site.
Only windows authentication is enabled.
What I observed is I get 401 followed by 200 for every request.
And the expectation is 401 for the first call, then 200 for all subsequent calls from same client to same api since its already authenticated.
I tried applying authPersistSingleRequest="false" for windows authentication.
Note: This was done after referring to 3 requests for every resource (2 x 401.2 and 1 x 200) in a windows authenticated asp.net mvc app
Then I can see that one api (web application) is working as expected now. And we still have issue with other api(in a different web application).
Can anyone help me to understand if there are any other settings apart from what I mentioned above to make it working as expected.
Make sure you configured the spn account properly with the application pool.
Open IIS Manager and select the Configuration Editor.
In the dropdown menu select system.webServer > security > authentication > windowsAuthentication
set useAppPoolCredentials to True.
In Internet explorer add the site address to the list of trusted websites and specify Automatic logon with a current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.
Refer below link for more detail:
Troubleshoot Kerberos failures in Internet Explorer
I’m currently developing a web site that uses windows authentication, with ApplicationPoolIdentity configured with Identity=Application Pool. I can connect by login with my administrator user when asked by the browser and it works perfect, but if any other user tries to access, the browser asks for the credentials 3 times and then it throws a 401 Error.
Test scenarios:
If the server is configured with Anonymous Authentication ON, everybody is able to open the page.
If I try to set the application pool Identity to a regular user account, IIS doesn’t recognize the user/password provided.
The folder C:\inetpub\ was set with full control to Everyone, but the users can’t connect anyway.
The folder C:\inetpub\ was set with full control to a specific user, but the user can’t connect anyway.
Following a recommendation from another post, the following section was added to the web.config :
<authorization>
<allow users="*"/>
</authorization>
The windows logs in the Event Viewer don’t store anything about a failed login.
thanks for your comments
Update
i enabled and add Failed Request Tracing Rules to web site
it was result
ModuleName :IIS Web Core
Notification : AUTHENTICATE_REQUEST
HttpStatus : 401
HttpReason : Unauthorized
ErrorCode : Access is denied (0x80070005)
i searched this error but the post tell me, maybe permissions, but i set everyone as full control and it doesn't working
i having a problem when i tried to use a domain user as a specified user name in basic settings-> connect as. I want to access a shared folder that located in another server.
The web server always says if the username or password isn't correct and always throw 500.19 error when I started to browse the application.
Error Capture
However when I explore the app from IIS, it can be opened. I even tried a remote login to the server using the same username and password and it's just fine.
Image 2
The server I am using for running the web server is a Workgroup computer and in a DMZ. Is that a reason why IIS can't authecticate domain user?
Sorry for my terrible english here, because i'm in panic situation right now. I hope you can understand what i'm asking about and hope somebody has an answer. Thanks
You're right, if your computer is not joined to the Active Directory domain, you won't be able to authenticate using a Domain account.
Should the site be publicly accessible? If so, you would want to set your authentication to Anonymous and then configure the authentication settings to authenticate either as a built in user (NETWORK SERVICE, AppPoolIdentity) or a local machine user created specifically for the application.
A developer posts their code from a staging site (which requires authentication) to the live public site (which should not) and suddenly the live site is requiring authentication (which is not good).
They don't have permissions to change any settings on the server(s) and there is no call from the code on the live site to anything on the staging site, that I can locate. (No forgotten calls to an image on the staging site or anything)
Can the group think of some file that might have been removed/changed that could cause this to happen? I checked this question as well - [HTTP Authentication in ASP Classic via IIS] - but none of those methods are being used.
App is Classic ASP, IIS6.0 server.
Security Settings - Anonymous Access permitted on the live site. Account for anonymous internet users allowed read access to the directory where the site is located - user is unable to change directory or site permissions on the server.
Thanks!
Did the files retain their security permissions from the folder they were copied from? Reset the permissions on the files.
Are you using a four-part URL to get to the site (http://www.somesite.com/)? That will default to the Internet zone and not intranet, prompting for authentication.
User will get challenged when Anonymous Access is turned off in IIS. What are the security settings? Without that information, we will not be able to help much.
When I setup IIS6 to develop projects locally I have to enable "Integrated Windows Authentication" under directory security in order for my CSS & Images to show up. (Note: I have double checked that network service has rights to all directories in my web application)
However this often causes my browser to prompt me for windows login username and password when I am running the application.
Is there anyway to get around entering a windows login password all the time ?
(I am using windows xp pro 64bit)
Maybe it is some problem with the kerberos authentication to your web site. Just disable it on your site. from the c:\Inetpub\AdminScripts directory run this command.
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"
Or change the authentication to anonymous. And make sure that the user in the directory security tab (IUSR_computername) has access to said directories. It is not the application pool user who access files and other resources.
Well it certainly is not as it's supposed to be!
You say you've double checked that Network Service has access to the directories. But with anonymous access, the account that needs access is the IUSR_[machinename] account. The account is specified under the Directory Security tab.
If all else fails, for local development you might as well grant everyone access to the directories.