You are not authorized to view this page

[Gaetan]

I just cannot read any more MSDN articles on IIS6 and ASP.Net authentication ...
everything is blurry now, tanks to old eyes.

Here is a topo of my environment:

- W2K3 SP1 (IIS 6)

- Web site is a virtual directory under Default Web Site

- Web site is configured with "Integrated Windows Authentication" and the "Enable
anonymous access" is not checked.

- Web site is using a custom application pool.

- Web.config has:
<authentication mode="Windows" />
<identity impersonate="false" />

- The application pool is using a domain account and this account is a member of IIS_WPG
on the IIS server.

Here is what is happenning:

- When I use IE from the IIS server, I can access my web application no problem.

- When I use IE from another server member of the same AD domain, I always get prompted to
enter credentials. I'm logged on with the domain administrators on that other server. The
only credentials that will allow me to use the web site are those that reside on the IIS
server; <servername>\account. <domain>\account does not work.

Anyone has a clue which turn I missed in the process?

 

[Kevin Spencer]

Well, first of all, you need to discriminate between the people who are
wanting to get into your web site, and the application identity. This is a
critical difference.

Your web application is a process, and it always runs under ONE user
account, the one you configured it to run under in IIS. That account
determines what network permissions the web application itself has, for
doing things like file system access, registry permissions, etc. This
identity is the one referenced in your web.config file and IIS application
pool configuration.

Now, when people log into the app, by trying to access it via a browser,
typically, they all log in to the web as the Anonymous Internet User account
on your server. This is an underpriveleged account which has permission to
do very little other than access web pages in your web application. But when
you configure the web site virtual directory to "Integrated Windows
Authentication," you force each user to either be logged into your server
machine as an authorized user (according to the Authentication configuration
in IIS), or to log in with an authorized user account (according to the
Authentication configuration in IIS).

That should be enough information to help you figure out what exactly you
want, and need, to do in order to set up your web application the way you
want to.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Ambiguity has a certain quality to it.

 

[Bruce Barker]

most likely iis is sending the 401 due to file permissions. check the the
vir and its files are accessible by authenticated users.

-- bruce (sqlwork.com)

 

[Gaetan]

I can now connect from a remote browser but I still do not understand why I had to do this
to make it work:

- Add my IIS server in the Local Intranet zone
- Disable "Enable Integrated Windows Authentication (requires restart)"

After the above, I could connect to the WEB site from a remote computer in the same
domain.

 

[Gaetan]

I found an article on MS Technet and applied it successfully. Just had to add the metabase
NTAuthenticationProviders propertiy since it was not defined within the <IISWebServer>
section.

http://www.microsoft.com/technet/pr...IIS/1aa70bfa-add5-4f61-9c7b-a095c1bd4306.mspx