I have two, load-balanced, web servers hosting an application in IIS on Windows Server 2008 R2 SP1 (build 7601). They are both configured the same, and the identity is set to use theApplicationPoolIdentity with Anonymous Authentication enabled.
The application code contains a use case wherein the application should try to read/write files from a remote NTFS share. From what I understand, the account authenticating should be DOMAIN\MACHINENAME$ which it is most of the time. I have given the NTFS share permissions for both machine accounts, and if the authentication happens over that account everything works great.
Unfortunately, sometimes after we perform an IIS restart or recycle of the application, the application stops authenticating to the NTFS share using the machine account, and instead it tries to use ANONYMOUS LOGON. What I did to verify this is use Process Monitor to ascertain the application is using the correct identity on both web servers. Process monitor shows that they are both using IIS APPPOOL\<ApplicationPoolName> and this seems to be correct. On the server hosting the NTFS share, I enabled auditing for success and failures. I can see in the security event log the following:
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x25491bbb45
Logon GUID: {00000000-0000-0000-0000-000000000000}
If I attempt to restart IIS or kill w3wp.exe completely, the situation does not get remedied. The only action that appears to work is to reboot the machine completely. If I reboot only one of the web servers, I then can see audit success entries in my event
log with the machine account being used.
New Logon:
Security ID: DOMAIN\MACHINENAME$
Account Name: MACHINENAME$
Account Domain: DOMAIN
Logon ID: 0x254965e8d8
Logon GUID: {d17776e1-d04e-423b-f551-344bd3ddd1b2}Given this information, I cannot seem to reproduce the issue. I haven't found a clear course of action that causes the application to try to authenticate using ANONYMOUS LOGON. What I did find was another user having a very similar situation to my own described here . In this case, the machine account password was being reset resulting in what appears to be a bug . However, I tried the following commands and still was not able to reproduce the issue.
nltest.exe /sc_change_pwd:DOMAIN iisreset /restart
I also attempted installing this hotfix, but WUSA states that the update doesn't apply to my operating system (regardless of the architecture).
In summary, I would like to understand a few things in more detail:
- Is IIS bypassing authentication using the machine account because of invalid credentials? How can I ascertain this better?
- Why does restarting IIS not fix this issue? How does IIS choose which account to use?
- What other troubleshooting techniques should I try?
Thank you. Your time helping me fix this problem is much appreciated!