I'm installing a web application on an IIS 7.5 server (Win Server 2008 R2) and having problems with windows authentication. I've done this install dozens of times but this one has me stuck, so any suggestions very welcome.
Summary: only Administrators can connect to my website via Windows Authentication. This works both from the machine via localhost and from another workstation. Other users are prompted for credentials instead of being authenticated automatically, and are denied access. This is despite giving Everyone Full Control of the web directory.
Here's the scenario:
- Web application created, using an Application Pool running as NETWORK SERVICE. Windows Authentication enabled, all others disabled. Windows Authentication has kernel mode =true (i.e. the IIS default), and Providers are ordered NTLM, Negotiate (although I tried the other way around too). All logins are on the same domain, and the web server is on that domain.
- App is installed at C:\MyApplication\App\
- When logged in to the server (as an admin account) I can navigate to http://localhost/MyApp and am authenticated automatically.
- When logged in to the server (as an admin account) I navigate to http://webserver.full.domain.com/MyApp and am prompted for credentials. After entering them 3 times I get 401.1 Unauthorized page.
- When logged in to a workstation as a regular user account and I navigate to http://webserver/MyApp I'm prompted for credentials 3 times and then shown an Access Denied message.
- When logged in to a workstation as the admin account that works when on the server I can also navigate tohttp://webserver/MyApp and am automatically authenticated. Logging in with other accounts doesn't work.
*** this seems particularly weird to me, suggesting that it's just about permissions *** ?? - There are no Failures logged to the Security event log, even with detailed Kerberos logging enabled as perthis article.
- The SPNs appear to be set up correctly, in that I used "setspn -L servername" from another machine and saw two entries HOST/servername and HOST/servername.full.domain.com.
- I have given NETWORK SERVICE Full Control to the web server folder where the application is (C:\myapp\). I've given Authenticated Users Read/List/Execute permission.
- Internet Explorer from workstations correctly identifies http://webserver/MyApp as in the Intranet Zone
- Internet Explorer has Windows Authentication enabled.
- I also tried creating another Virtual Directory to C:\MyApplication\test, with a single file in it test.html, also with Windows Authentication only enabled and also with appropriate permissions. Same symptoms, but I get a 401.2 Unauthorized instead of 401.1.
- When I initiall installed IIS Role on this server and navigated to http://localhost the Default App Pool stopped and I was shown a server failure message. Switching the Default App Pool to run as Network Service resolved this problem. I now wonder if this meant there were other problems on the server that could be causing my authentication issues. e.g. this hotfix http://support.microsoft.com/kb/2545850, although when running as NETWORK SERVICE that shouldn't affect me.
Any suggestions on what I should try or look at to troubleshoot further greatly appreciated.
thanks,
Rory
UPDATE:
I tried a few more things today, with little success:
- Restarted the server and retested, just in case. no luck.
- Created a test file c:\inetpub\wwwroot\testwwwroot\test.html, set Windows Authentication only on the Web Site and tried to access it from a workstation. Same symptoms. Therefore it's a problemt that applies to wwwroot as well as other folders.
- Gave Everyone Full Control to the folder and retested, still no access.
- Gave the end user Full Control to the folder and retested, still no access.
- From IE put the site into Trusted Sites (instead of Intranet Zone) and retested, no luck. Removed so it's once again Intranet Zone.
- Changed IE settings for the Intranet Zone to "Automatic logon with username & password", still no access.
- Removed Negotiate as an option so it would force NTLM only, still no access.
- Tested from workstation using http://<ipaddress>/Myapp instead of server name. Prompted for credentials (expected) but prompted 3 times when entering correct details and then no access.
- Tried adding Network Service as a member of IIS_IUSRS group (no particular reason why this might help), still no access.
- Changed the Default App Pool's identity from NETWORK SERVICE back to ApplicationPoolIdentity. Navigated tohttp://localhost from server and got Server Error. In the event log were the following messages:
ERROR: Application pool DefaultAppPool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
WARNING: The identity of application pool DefaultAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
WARNING: Application pool DefaultAppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
- Setting the identity back to NETWORK SERVICE resolved the above problem. But I do wonder if this is related.
- I used F12 dev tools to see request/response headers: The server was sending WWW-Authenticate: Negotiate and WWW-Authenticate:NTLM when testing from the workstation. IE wasn't sending anything WWW-Authenticate related in the Request headers. When doing the same test from IE on the server (where it does authenticate correctly) the Response Header was WWW-Authenticate: Negotiate <then a long securitytoken like oRswGaADCg....>
I'm still stuck on this one...
(Also posted on ServerFault here)