I have a problem, both on a customer's system and my own test system intended to reflect theirs, where access to a file on a website is being denied. The following is a summary of the set-up.
There's a 'Documents' virtual directory under 'Default Web Site':
Default Web Site (-> C:\inetpub\wwwroot)
Documents (-> E:\Application\Documents)
Application Pools:
DefaultAppPool, which runs as its ApplicationPoolIdentity
ApplicationAppPool, which runs as NetworkService
Default Web Site is configured to run as its ApplicationPoolIdentity.
Authentication is defined at the computer level, with only Windows Authentication enabled. Its only provider is Negotiate:Kerberos.
Trying to open 'http://<Host>/Documents/Test.html' prompts for credentials. No matter what the credentials supplied, this fails with a '401 - Unauthorized: Access is denied due to invalid credentials.' message. This is despite 'Everyone' having been given 'Full
Control' (in addition to what should be sufficient access for others) of the 'Documents' folder.
Access to that page is successful in either of these scenarios:
- 'Default Web Page' runs under 'ApplicationPool'.
- the 'Documents' virtual directory is converted to an application that runs under 'ApplicationPool'.
- Anonymous Authentication is enabled for the 'Documents' virtual directory.
According to Fiddler, the client browser is sending the correct header (Authorization: Negotiate YII...etc.), but there's no recognition of this in the server's response.
I'm fairly confident that access to that page had worked, both on the customer's system and my own test system. The problem was reported very recently by that customer, and replicated on my system only today (prior to that, I believe it had worked).
Can anyone offer an explanation for this behaviour?
With thanks.