Your constructive suggestions and help is required. I am creating a new WebSite in IIS7.5 on Windows Server 2008 R2 for my corporate Intranet (not Application under existing Default Web Site!), and can’t seem to get by authentication issue with Windows Authentication.
I’d went through all of the articles and postings here on MSDN as well as other sites, can’t find working solution just yet.
Steps I followed to create and configure this new site in IIS7.5:
- RDC to my VM, where I create the new Web Site on IIS 7.5. Open IIS Manager.
- Did not change Default Web Site, which has bindings to no host name, All unassigned IP address, port 80. It is still there.
- Right-click "Sites", "Add Web Site…", provided site name "sit", Application Pool: DefaultAppPool, physical path points to the app, which works on Dev Server (VS2010).
- Click "Test Settings…" shows Authentication grid icon, Authorization yellow exclamation point: "cannot verify access to path".
- Checking my physical path directory for Windows Security access (Windows Explorer), and can’t find DefaultAppPool account to add to NT security access rights. Letting it be like this for now.
- In "Binding" section of the "Add Web Site" form, used as mentioned above, I leave type: HTTP, IP Address: All Unassigned, Port: 80. In Host Name: I provide "sit", same as the site name above.
- Click OK. Site is created, showing in the right pane, in "Sites" window. Click "Browse sit on *:80(http)" hyperlink on the rightmost vertical "Actions" panel. The browser IE8 starts, I get an error about DNS lookup not being able to find "sit", this is
my Host Name as mentioned in step 5. - I go to my "hosts" file in my System32driversetc directory, add entry: {MachineIP} sit, save.
- Reload the browser, now it asks me for windows credentials. Provide my admin credentials on the box 3 times, and the browser gives me the following message:
"HTTP Error 401.1 – Unauthorized You do not have permission to view this directory or page using the credentials that you supplied.
Logon Method Not yet determined
Logon User Not yet determined
10.Checking my Authentication in the IIS7.5. It is decyphered from my web config correctly: Windwos Authentication Enabled, response type HTTP 401 Challenge. Anonymous Authentication disabled. Here is my web.config security settings:
<system.webServer> <security> <authentication> <anonymousAuthentication enabled="false" userName="" /> <windowsAuthentication enabled="true" useKernelMode="false" useAppPoolCredentials="true"> <providers> <clear /> <add value="NTLM" /> <add value="Negotiate" /> </providers> <extendedProtection tokenChecking="Allow" /> </windowsAuthentication> </authentication> </security> <validation validateIntegratedModeConfiguration="false" /> <modules runAllManagedModulesForAllRequests="true" /> </system.webServer> <system.web> <authentication mode="Windows" /> <identity impersonate="false" />
My Windows Athentication modules are both installed and referenced in IIS.
This is where I am unable to proceed any more and I need your help. I am missing something, but I can’t figure out what it is. When I go back to the site, and open "Basic Settings", I see that daunting yellow exclamaition point in "Authorization" on "Test
Connection" popup, but I can’t seem to figure out how to resolve it: I am logged in to my VM as Admin, I gave my physical location of the app full access, I tried using my admin account on the site as well as on the application pool, I’ve added Everybody account
on the physical app directory with read-execute permissions, added IUSR, IIS_IUSRS,NETWROK SERVICE, etc. with permissions, and still to no avail. I do not specifically understand:
-
Why would browser prompt me for my credentials, even if my browser settings say "Automatic logon with current user name and password", and my site host name is added to the "Local Intranet" list?
-
Why after I provide my valid credentials (3 times), I still get "Logon Method: Not yet determined" and "Logon User: Not yet determined"?
Here is my request, caught with Fiddler:
-NTLM Type3: Authentication Provider: NTLMSSP Type: 3 OS Version: 6.1:7601 Flags: 0xa2888205 Unicode supported in security buffer. Request server’s authentication realm included in Type2 reply. NTLM authentication. Negotiate Always Sign. Negotiate NTLM2
Key. Target Information block provided for use in calculation of the NTLMv2 response. Supports 56-bit encryption. Supports 128-bit encryption. lmresp_Offset: 160; lmresp_Length: 24; lmresp_Length2: 24 ntresp_Offset: 184; ntresp_Length: 24; ntresp_Length2:
24 Domain_Offset: 88; Domain_Length: 12; Domain_Length2: 12 User_Offset: 100; User_Length: 36; User_Length2: 36 Host_Offset: 136; Host_Length: 24; Host_Length2: 24 msg_len: 208 Domain: BLAHBLAH User: User1 Host: LLLBBBAAA001 lm_resp: FA 6D 30 62 55 98 F6 70
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 nt_resp: F6 9F 3F D5 36 E5 7F 50 BF 4A 22 A4 E4 BA 5E F4 AB 29 31 04 8F FD D5 F3
Does anyone have any good suggestions to resolve this problem? Sincerely grateful for the help.
Maybe I’m a bit late with my answer, but I believe you have missed a tiny little thing!
When using Windows Authentication on an Intranet and your Active Directory server is in the same domain, you only need a small piece of code in your web.config:
<system.web> ... <authentication mode="Windows"> </authentication> <authorization> <deny users="?" /> </authorization> ... </system.web>
Now your application is set to use Windows Authentication, HOWEVER….
If the user account you try to login with, isn’t known on the Web Server you installed your application on, you get the "HTTP Error 401.1 – Unauthorized You do not have permission to view this directory or page using the credentials that you supplied"
message.
(Just for fun you could add the user to the local user list on your webserver and then you’ll see it works!!)
Now how can we get rid of this message? Easy: Grant access to your
website installation path to the "Authenticated Users" group and give it the default
Read & execute, List folder contents and Read
rights.
That’s it!