I have an authentication problem described below, please let me know if you can point me in the right direction..
Web Server: IIS 7
Server: Windows Server 2008
I have a website set up under IIS 7, using Windows Integrated Authentication. I am able to access the website perfectly from my workstation logged in under own corporate user account (I also have admin permissions on the web server machine). Others in my team are also able to access the site. Some corporate users from outside of my team, are able to access the site perfectly, while others are getting "401.3 Unauthorized: Access is denied due to invalid credentials" error messages.
The application pool identity is NETWORK SERVICE, I have granted permissions to the NETWORK SERVICE user to allow it to read from all necessary file system locations. I have set up Failed Request Tracing Rules to pinpoint why the error is ocurring. When my test user tries to access the site, the failed request tracing log files are telling me that WIA is authenticating the user successfully, then after FILE_CACHE_ACCESS_START fails to complete, the Access is Denied error happens.
I have used process monitor from sysinternals to try to find out what the application is trying to access. There are intermittent 'ACCESS DENIED' results showing up in process monitor, when I view the properties of the event, it shows an 'Impersonation' field, with the value of the client's username. These events are ocurring on an event trying to access a simple root file of the web application, index.php, which is protected with WIA.
I did not add any Impersonation settings to the IIS configuration, and cannot find a good source of information about why it's happening and how to stop it.
Also, I have set up audit logging on the file system, and no errors are showing up there.
After the request, the client user is presented with what looks like a pop up, that resembles what you would see if you were using BASIC authentication.
Here is an excerpt from my failed request log that shows the Windows Integrated Auth success, followed by the 'Access is Denied' error.
| 31. | | NOTIFY_MODULE_START | ModuleName="WindowsAuthenticationModule", Notification="AUTHENTICATE_REQUEST", fIsPostNotification="false", fIsCompletion="false" | 22:11:15.250 |
| 32. | i | AUTH_START | AuthTypeSupported="NT" | 22:11:15.250 |
| 33. | i | AUTH_REQUEST_AUTH_TYPE | RequestAuthType="NT" | 22:11:15.250 |
| 34. | i | AUTH_SUCCEEDED | AuthType="5", NTLMUsed="true", RemoteUserName="Domain\test", AuthUserName="Domain\test", TokenImpersonationLevel="ImpersonationImpersonate" | 22:11:15.266 |
| 35. | i | USER_SET | AuthType="NTLM", UserName="Domain\test", SupportsIsInRole="false" | 22:11:15.266 |
| 36. | i | AUTH_END | 22:11:15.266 | |
| 37. | | NOTIFY_MODULE_END | ModuleName="WindowsAuthenticationModule", Notification="AUTHENTICATE_REQUEST", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" | 22:11:15.266 |
| 38. | | NOTIFY_MODULE_START | ModuleName="AnonymousAuthenticationModule", Notification="AUTHENTICATE_REQUEST", fIsPostNotification="false", fIsCompletion="false" | 22:11:15.266 |
| 39. | | NOTIFY_MODULE_END | ModuleName="AnonymousAuthenticationModule", Notification="AUTHENTICATE_REQUEST", fIsPostNotificationEvent="false", NotificationStatus="NOTIFICATION_CONTINUE" | 22:11:15.266 |
| 40. | i | FILE_CACHE_ACCESS_START | FileName="D:\wwwroot\project\WebContent\passthrough.php", UserName="test", DomainName="Domain" | 22:11:15.266 |
| 41. | i | FILE_CACHE_ACCESS_END | Successful="false", FileFromCache="false", FileAddedToCache="false", FileDirmoned="true", LastModCheckErrorIgnored="true", ErrorCode="Access is denied. (0x80070005)", LastModifiedTime="" | 22:11:15.266 |
| 42. | r | MODULE_SET_RESPONSE_ERROR_STATUS Warning | ModuleName="IIS Web Core", Notification="AUTHENTICATE_REQUEST", HttpStatus="401", HttpReason="Unauthorized", HttpSubStatus="3", ErrorCode="Access is denied. (0x80070005)", ConfigExceptionInfo="" | 22:11:15.266 |