I have made an ASP.NET MVC 3 Intranet site with Windows Authentication enabled:
- in the Visual Studio project file properties
- in the web.config, i.e.
<authentication mode="Windows"/> - on the site properties in the IIS 7.5. server
Anonymous access is disabled for all these three above, the web.config says <deny users="?"/>. Impersonation is disabled in the web.config by identity <impersonate="false"/> and on the site properties in the IIS 7.5 server. And finally, the NETWORK SERVICE is set to run the app pool and also has Read on the site folder (not sure if it's needed though, you tell me, but it sure ain't enough to solve my problem below).
Now, when logging in through the standard Windows Authentication dialog box, domain users are presented with a 401.3 error after three valid login attempts. This seems to be before even reaching my MVC site's code, i.e. it seems completely IIS related. The event log gives the following kind of entry (it's an Information entry, not an Error, and I've obfuscated it a bit to protect my client) for all the users that has tried to log in:
Event code: 4008
Event message: File authorization failed for the request.
Event time: 2012-02-20 18:45:41
Event time (UTC): 2012-02-20 17:45:41
Event ID: 6dd3b4bf99784ba1a0fe06694dd89691
Event sequence: 3
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/2/ROOT-1-129742335229554599
Trust level: Full
Application Virtual Path: /
Application Path: D:\Public\BlahblahManager\
Machine name: HUB01-XYZ123
Process information:
Process ID: 2920
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: http://blahblahmanager.user.ad.blah.com/
Request path: /
User host address: 134.XXX.XXX.XXX
User: USER-AD\teh-user
Is authenticated: True
Authentication Type: Negotiate
Thread account name: NT AUTHORITY\NETWORK SERVICE
Custom event details:
It is only when I specifically grant USER-AD\teh-user or USER-AD\Domain users the Read permission on the site's root folder (D:\Public\BlahblahManager) that the user can log in and actually see the site.
Why is this? There must be some kind of configuration that I'm missing. Shouldn't it be enough that the NETWORK SERVICE has Read on the site's root folder? I've Googled this for a while, and impersonation is mentioned here and there, but the jury is still out it seems. Some sites claims that you should go with impersonation and they provide examples on how to do it, but when I try out the examples it still doesn't work. Other sites says that impersonation is NOT the way to go and that you NEED to grant the folder permissions in these cases. But that seems such an odd thing to do. Users have no business on the actual server, they should be working through the website only.
Any suggestions? What is usually the minimum amount of configuration needed to get this to work? Any tips on how to troubleshoot this kind of problem and get to the root cause?
File authorization failed for the requesterrors with authenticated user listed and Network Service as thread identity, running app pool as NetworkService, IIS 7.5, 401 error after entering credentials). Currently my only way to get around it is granting Everyone (or a specific group of users) access to the files, which seems a terrible solution. I've installed the same app on dozens of customer servers and not needed to do this. Possibly something peculiar to IIS 7.5 although I've installed there before and don't recall this problem. – Megadeath