IIS7 Pass-through authentication failing

[clintonG]

On Vista I've tried creating websites at Documents\My Web Sites\website1 for
example. Despite adding the accounts and permissions for NETWORK SERVICE,
IIS_USRS as well as accounts for Administrators and my own self as a user
I'm getting a 401.3 when requesting http://website1/. Note I also use the
hosts file for bindings to localhost.

Using IIS Manager > Add a Web Site > Test Settings I get the following
warning:

Test Connection:
Authorization Cannot verify access to path ...

The server is configured to use pass-through authentication with a built-in
account to access the specified physical path. However, IIS Manager cannot
verify whether the built-in account has access. Make sure that the
application pool identity has Read access to the physical path. If this
server is joined to a domain, and the application pool identity is
NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has
Read access to the physical path. Then test these settings again.

When I try to request the site as http://website1/ I get the following
error:

HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of the
access control list (ACL) configuration or encryption settings for this
resource on the Web server.

I've set up Failed Request Tracing Rules for the 401.3 and no clues how to
resolve there.

I can use IIS Manager > Advanced Settings to change the Physical Path
Credentials using my user name and password and website1 will load just
fine.

I'd really like to understand how to resolve this and don't understand why
the pass through authentication is not passing through so to speak allowing
me as an anonymous user to request and load website1 without using IIS
Manager to apply impersonation.

[Steve Schofield]

Try running process monitor aka Filemon to see what folder is being blocked.
Enable auditing to see object access. Here is a post that discusses how to
enable auditing and links to process monitor.

http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx

--

Best regards,

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

"clintonG" <nob...@nowhere.com> wrote in message
news:ev76%23nrlI...@TK2MSFTNGP05.phx.gbl...

[clintonG]

Thanks Steve. I'm going to follow up on your referrals but get this...

I use the hosts file to enable multiple web sites on Vista when using IIS7
and bind each website to the loopback adapter (127.0.0.1). This makes
testing web sites in a browser fast, easy and perhaps reliable using short
names such as http://css1. In fact we no longer even have to provide the
browser with the http protocol, just type css1 into a browser for example
and the web site will load.

So while trying to learn more about this physical path pass-through
authentication issue I went back into IIS Manager and deleted a web site
named css1. I recreated css1 and bound it to the IP of the machine (instead
of All Assigned). Requesting the web site then loads the Default Website. I
then used IIS Manager to delete css1 and then recreated css1 leaving All
Assigned and binding in the hosts file to the loopback IP.

Now lo and behold --Vista Voodoo-- the pass-through authentication now
allows the anonymous user to request css1 when the physical path is in the
My Web Sites directory I have discussed having problems with.

Now, to figure out what was going on I have to actually figure out how to
make it fail again? I am ready for a long long rest in a nice quiet place
where they have a nurse keep an eye on the patients ;-)

<%= Clinton

"Steve Schofield" <st...@iislogs.com> wrote in message
news:%23WPK7W1...@TK2MSFTNGP02.phx.gbl...

[Steve Schofield]

That sounds like par for the course. :) Personally, I would let it go if
it's working. If you are really interested in what is going on. I would
check the applicationHost.config to see what the bindings are during each
test. Look in the <sites> section.

I would setup your original config and see if you can reproduce the error,
it sounds like you can't do that, but if you have access to another Vista
box, use that machine to see if the behavior is the same.

Other things that comes up when this happens is browser caching can cause
inconsistent results. I would recycle IIS after each test so no credentials
are cached. Those are a couple things that come to mind.

--

Best regards,

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

"clintonG" <nob...@nowhere.com> wrote in message

news:e1fpSB4l...@TK2MSFTNGP03.phx.gbl...

[Steve Schofield]

One thing I forgot to add was when troubleshooting odd things, use Wfetch
when you are getting inconsistent results. Fiddler can help too.

How to use Wfetch
http://support.microsoft.com/kb/284285

--

Best regards,

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

http://www.IISLogs.com
Log archival solution.
Install, Configure, Forget

"clintonG" <nob...@nowhere.com> wrote in message

news:e1fpSB4l...@TK2MSFTNGP03.phx.gbl...

[ravindranthangavelu]

I am also facing same problem like you.

Yesterday i enabled the remote connection and enabled the windows authentication, its works fine.
But for every new publish its ask the userid and password of that system, so my TL will disabled that windows authentication.

Again i got the same error, please help me to solve this issues.

The following i made in my IIS server.

Anonymous Authentication ---> Enabled
ASP.NET Impersonation ---> Disabled
Basic Authentication ---> Enabled
Digest Authentication ---> Enabled
Forms Authentication ---> Disabled
Windows Authentication ---> Disabled

For Default Web Site ---> IIS Manager Permission. Gave permission for some users, Administrator and my users id.

Please help me...