I need some help to understand what is the exactly reason I can'g get Windows Authentication working on IIS site for a specific user's group. What is happening is that even my user being part of the group which I gave access to the site, IE keeps prompting for my credentials and even when I type the password the HTTP response is 401 (Unauthorized). I'm also not allowed to change IE's settings to add any site to the trusted list (it's blocked by the company). In the other hand, besides the fact that it's blocked, the site domain is listed like (*.domain.com)
Follow bellow the scenario:
Pool Settings
- Name: PoolA
- Process Model > Identity > DomainB\\ServiceAdUser
Settings on Server Level
ASP.NET > .NET Authorization
- Allow | Users: All Users | Entity type local
IIS > Authentication
- Anonymous Authentication disabled
- Windows Authentication Enabled
- Extended protection: Off
- Enable Kernel-mode authentication: Enabled
- Providers: Negotiate(1st) -> NTLM(2nd)
- IIS > Authorization Rules
- Allow | Roles: DomainB\\MYGROUP | Entity type local
Settings on Site Level (which runs on a valid SSL certificate on 443 port, this is the only binding)
Pool: PoolA
ASP.NET > .NET Authorization
- Allow | Users: All Users | Entity type inherited
IIS > Authentication
- Anonymous Authentication disabled
- Windows Authentication Enabled
- Extended protection: Off
- Enable Kernel-mode authentication: Enabled
- Providers: Negotiate(1st) -> NTLM(2nd)
IIS > Authorization Rules
- Allow | Roles: DomainB\\MYGROUP | Entity type inherited
Permissions on site root directory
- Full control permission to IIS_IUSRS
- Read&Execute, List and Read permissions to MYGROUP
Web.config
- This is the only configuration line that exists regarding authentication: <authentication mode="Windows" />
=============================
The only way to get the site up and running is when I allow anonymous access to it.
Please help me to figure out what is missing. I appreciate any help.
There could be an issue with security loopback check. Please find below procedure to disable it.
I've found that if the authenticated user is not able to read the folders for static content in your web app, it will authenticate you, then deny access. This can be solved by Granting local_Machine\\Authenicated_Users access to the needed resources.
In my case, I added Authenticated_users to the IIS_IUSRS Group and it solved my problem. Be aware that this can also grant any authenticated user to all files and folders available to the IIS_IUSRs group. So be careful that these users cannot access the file system by any other means. A separate group granting NT AUTHORITY\\Authenticated_Users just enough rights to read pngs, and static content is the best way to go.
Config: Windows Server 2012 R2 Running IIS 8.5, NET Framework 4.5, with static content enabled.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.