(This issue first posted in ASP.NET forum but moving here since it seems IIS-related)
I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp, the app recognizes who they're logged in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
When connecting from a workstation, e.g. to http://appserver/MyApp, I'm prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying "401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Giving Read & Execute permissions to the end users of the app solves this problem, but I don't think this should be necessary at all. More details below.
Some relevant details:
- When connecting from the server itself I was prompted for credentials but after entering them i'm authenticated and the application works correctly including displaying my windows login and connecting and retrieving data from the db. I later determined that it was prompting for credentials because "http://localhost" was in the trusted sites and therefore not recognised as the Intranet Zone and thus not passing identity through. I also determined that it was working as this user identity because it's an admin user who has file permissions.
- The web server is running Windows Server 2008 R2 / IIS 7.5. It didn't have IIS on it until I installed it. I installed the default features as well as Windows Authentication, ASP.NET, and possibly a couple of other items. A separate WCF app I installed that uses IIS, anonymous authentication & .net 2.0 is working fine on that web server.
- The install process is a manual copy of files, creation of IIS App Pools & web apps, updating connection strings, etc.
- I checked the IE security settings. It was recognizing the server as in the Intranet zone and had the option 'Automatic logon only in Intranet zone' selected. Also on Advanced Settings the 'Enable Integrated Windows Authentication' option was checked.
- After installing IIS I ran "aspnet_regiis -i" for .net 2.0 and "aspnet_regiis -iru" for .net 4.0.
- Anonymous authentication is disabled for my app and Windows Authentication enabled.
- The app is running on ASP.NET v4 but there's another app I installed experiencing the same issue running ASP.NET v2.
- The app is running with Identity = Network Service and in 32-bit mode.
- Network Service has Full Control file permissions to the app folder.
- Database connection string includes Trusted Connection=True and database permissions are granted to the web server account <domain>\<server>$ e.g. DGM\MyServer$.
- In IIS > Authentication > Windows Authentication > Providers the list was Negotiate first then NTLM. I tried reordering so NTLM is first.
- In the Windows Security Event Log there were a series of Microsoft Windows security auditing events: Logon and Logoff. They indicated that the Logon was successful and was displaying the User Id of the workstation user. This are from when I'm connecting from another workstation and receive a 401 Unauthorized after several attempts.
In the windows Application Event Log there's a message "File authorization failed for the request" along with Thread account name: NT AUTHORITY\NETWORK SERVICE and User: <the correct workstation users's domain account> (full message below). This suggests that the file access is being performed with the User's identity, not the AppPool identity of Network Service. Sure enough if I grant the end user Read & Execute permission (I didn't try Read only) to the application's directory then everything works correctly: when the user browses to the site they're authenticated automatically, not prompted, and the web site correctly recognizes their identity! Therefore my workaround solution is to give Read & Execute permission to Everybody on the application directory...but this is not an ideal solution.
This seems very strange. I've never needed to do this before, so far as I recall. Is this a new IIS7.5 thing? The documentation says that Impersonation is turned off by default. I added a <identity impersonate="false"/> element to the web.config to be sure, removed file permissions other than Network Service, but the problem remained.
I see someone has had this problem reported here but with no solution.
Any thoughts? Is it normal for Windows Authenticated sites on IIS 7.5 for end users to need file permissions on the web server files?
many thanks,
Rory