Celtic Coding Solutions Blog

Celtic Coding Solutions Blog - for everything computer related

Asp.Net Windows Authorisation in IIS7 for Windows Server 2008 and r2

When Kerbos hasn't been setup correctly on a Windows Server 2008 and 2008r2 server, I've noticed a couple of issues when running Asp.Net code in IIS and using Windows Authorisation enabled, anonymouse disabled.

Running the Page locally in IE on the Server works correctly and Windows Credentials are picked up by the Asp.Net code.  However running the Page in IE on a separate machine (via the network) resulted in the following errors:-

"You are not Authorized to view this page"

 

Or "HTTP Error 401"

Running the Page in IE using the IP address of the server instead of the server name worked (probably because it defaults to NTLM instead of abortion price Kerberos).

1.0) Server 2008r2 Fix

When there appears to be an issue with Kerberos on the Network and IIS (as in this case), then we need Web Applications to default to NTLM instead for Windows Authentication pass-through.
The fix for Server 2008r2 is slightly easier than in Server 2008 so this is first.

1.1) Setup Application Pool

This is not 100percent necessary as you can use one of your existing Application Pools; however for demonstration purposes it is easier to create a new one.

Remote onto the Server and load the Internet Information Services (IIS) Manager:-
Select your server (expand using the plus icon)
Select Application Pools

Create a new Application Pool e.g.
Name: ASPNET2
.Net Framework: v2.0
Managed Pipeline: Integrated
Identity: ApplicationPoolIdentity

 

1.2) Setup/Convert to Web Application

Click on your Asp.Net Directory under Sites – Default Web Site.
Right click and "Convert to Web Application" – might already be as the icon will be changed from the standard folder icon.
Make sure our new Application Pool is selected

Click Test Settings and notice the error:-

1.3) Change Folder Settings to allow App Pool Access

The Application Pool is now running under ApplicationPoolIdentity as ASPNET2.  This is visible in the Windows Task Manager on the Server:-

If this user is not visible then open your Web Application in IE on the local server (just click on the "Browse *:80 (Http) in IIS)

Open File Explorer:-
Go to C:\inetpub
Right Click wwwroot - Properties
Security Tab
Click Edit
Click Add
Change location to ServerName (Top of list)
In the "Enter the object names to select" type:-
IIS AppPool\ASPNET2
Click OK

Select ASPNET2 in the "Group or User Names"
Then Tick:-
Read & Execute
List folder contents
Read

1.4) Set Web Application Windows Authorisation

Back in IIS click on authentication icon:-

Enable ASP.Net Impersonation and Windows Authentication:-

 

1.5) Configure Windows Authorisation

Select Windows Authentication and in the Right Hand Menu select Advanced Settings and it should look like the following:-

Close this and next Click "Providers…"
Move NTLM up and then Negotiate is second

Close and restart IIS - all should now work!

2.0) Server 2008 Fix

Server 2008 is slightly different as not all the options are visible.  Therefore follow all the same settings as above for 2008 up until Point 1.3

2.1) Change folder settings to allow App Pool access (Server 2008 method)

In Server 2008 you cannot add the following user to Folder Security as it will not find this user:-
IIS AppPool\ASPNET2

Instead you need to use icacls with the following syntax (open a command line and enter):-
icacls c:\inetpubwwwroot /grant "IIS AppPool\ASPNET2":(OI)(CI)(RX)

When run then in wwwroot folder security you will see ASPNET2 is listed so follow the same instructions as Server 2008r2.

2.2) Configure Windows Authorisation (Server 2008 natural abortion pill method)

The "Providers…" option is not available in IIS for 2008 and so this has to be done manually via modifying the ApplicationHost.config file under:-
C:\Windows\System32\inetsrv\config

Scroll down to your Application and amend using the following details:-

<system.webServer>
  <security>
    <authentication>
      <anonymousAuthentication enabled="false" />
        <windowsAuthentication enabled="true" useKernelMode="true">
          <providers>
            <clear />
            <add value="NTLM" />
            <add value="Negotiate" />
          </providers>
        </windowsAuthentication>
     </authentication>
  </security>
</system.webServer>

Note in 2008r2 you may need to also add the following:-
  <extendedProtection tokenChecking="None" />
this goes below
  <windowsAuthentication enabled="true" useKernelMode="true">

Restart IIS and all should work.

Comments are closed