Develop Reference

IIS 8.5 Prompting for Credentials with Windows Authentication

I'm getting a prompt for credentials on a website in IIS 8.5 running on Windows 2012 that I cannot explain.
App Pool is running under a custom identity that is a member of Administrators and IIS_IUSRS on the server.
I have the following setting on the Web Site:
Anonymous Authentication = Disabled
ASP.NET Impersonation = Enabled
Windows Authentication = Enabled
useAppPoolCredentials = True
My web.config has:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
</authorization>
I've ruled out folder security by temporarily granting Full Control to Everyone.
The real weird part is that I have the same App Pool, Web Site, and Folder setup on another node in my NLB cluster and it does not prompt for credentials.
I've also compared ApplicationHost.config files between the two servers and did not find any significant differeneces.
Where else could there be a difference between the two servers?
Update from questions in comments:
The HTTP status code is 401.2.5. FailedReqLog:
<failedRequest url="http://url-myapp.com:80/"
siteId="4"
appPoolId="myapp"
processId="14368"
verb="GET"
authenticationType="NOT_AVAILABLE"
activityId="{8000002B-000E-FF00-B63F-84710C7967BB}"
failureReason="STATUS_CODE"
statusCode="401.2"
triggerStatusCode="401.2"
timeTaken="0"
xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"
>
AppPool is in Integrated mode
It does allow after entering credentials

Forms Authentication fails to redirect to Login

I am developing a WebForms project in VS 2017 and I would like to add Forms Authentication so that anonymous users cannot access a specific page (called Resources). So far, my Login page is logging in users as it should, authenticated users have access to Resources, and all users can browse my non-protected pages.
Here's my problem: Whenever an anonymous user attempts to access Resources, a server error occurs instead of being redirected to the Login page. In IIS Express the error message is "HTTP Error 401.0 - Unauthorized. You do not have permission to view this directory or page". In Local IIS it says "Error message 401.2: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.
I believe the browser and server are trying to authenticate using different methods, but I can't figure out how to fix this.
In IIS manager, I've enabled both forms and anonymous authentication and disabled the other methods for my website. For anonymous auth, I've tried setting the user to IUSR as well as Application pool identity while running on DefaultAppPool with full security permissions - neither worked. And for Forms auth, the parameters match my web.config file, aka same name and login url (not sure if that matters).
Here is the authentication and authorization code in my web.config:
<authentication mode="Forms">
<forms name=".ASPXAUTH" defaultUrl="Index.aspx" loginUrl="Login.aspx" />
</authentication>
</system.web>
<location path="Resources.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
Am I missing something obvious? Are there other settings I should check out? Any help is immensely appreciated!

IIS / Windows Authentication

I have a simple HTML site that I need to add windows authentication to so that I can limit certain resources.
I currently have the site running in a dev environment (IIS on my local machine) and I cannot seem to achieve the results that I need.
The main site needs to be open......anyone can access it. However, the subpages and their resources (downloadable pdfs and such) need to be blocked to certain AD security groups.
1) Using the web.config file below - the WHOLE site is asking for authentication (which is not what I want) and once I provide authentication, I am NOT being blocked from the location path that I provide.
2) This web.config IS NOT what my final one will look like, I was just testing to see if I could block a resource before I actually drop in my real allow/deny logic
Here is my simple web.config file:
<configuration>
<system.web>
<authentication mode="windows" />
</system.web>
<location path="district/district.html">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>

To secure a Single Page or document in IIS 7.5 with Windows authentication simply follow these steps:
1. Open IIS 7 Manager.
2. Click on “Content View “at the bottom of the IIS 7 Manager and navigate to the file you want to password protect.
3. Right click on the target file and choose “Switch to Features View”.
4. Double click on Authentication under IIS Area.
5. Disable “Anonymous Authentication”.
6. And Enable “Windows Authentication”.

Issues getting NTLM authentication in an intranet app on IIS6 w/IE 9

I have an intranet web app running in a virtual directory on a Win 2003 server. I would like to have the app pick up the user name for personalization.
In the web.config I have set the following:
<authentication mode="Windows" />
<identity impersonate="false"/>
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
In IIS 6 I have set directory Security set to Integrated Windows authentication and have Enable Anonymous access disabled.
In IE9 I have the site address set in the local intranet zone and Integrated Windows Authentication enabled.
If I access the site with Chrome or FF I get a login prompt and I can enter the username/password and everything works but if I go to the site with IE9 I get a 401 error.
The goal is to pickup the username so that I can do personalization of web parts and log access to certain areas.
Any ideas on how to make this work? Chrome and FF are not options, IE is our standard.
TIA
J

ImageOptimizations\App_Sprites\blank.gif Access is denied

To optimize the images and automatically generate CSSprites use a microsoft package called Sprite Optimization and Image Preview 4
Error
Locally everything works perfectly, but to publish my site the following error occurs:
Access to the path 'D:\Hosting\8399780\html\dev\App_Sprites\blank.gif' is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path 'D:\Hosting\8399780\html\dev\App_Sprites\blank.gif' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Attempt
In an attempt to resolve the problem within 'App_Sprites' folder, added the following web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Allow" users="*" />
</authorization>
</security>
</system.webServer>
</configuration>
'blank.gif' image is not used anywhere in my application!
Inside the App_Sprites folder there are a only one subfolder called hire;

I believe that this framework is trying to write a blank.gif file to that directory. You need to give the account under which the IIS app pool runs write access to that folder in windows.