IIS7 Pass-through authentication failing
IIS7 Pass-through authentication failing
am 05.04.2008 03:11:48 von Patrice
On Vista I've tried creating websites at Documents\My Web Sites\website1 for
example. Despite adding the accounts and permissions for NETWORK SERVICE,
IIS_USRS as well as accounts for Administrators and my own self as a user
I'm getting a 401.3 when requesting http://website1/. Note I also use the
hosts file for bindings to localhost.
Using IIS Manager > Add a Web Site > Test Settings I get the following
warning:
Test Connection:
Authorization Cannot verify access to path ...
The server is configured to use pass-through authentication with a built-in
account to access the specified physical path. However, IIS Manager cannot
verify whether the built-in account has access. Make sure that the
application pool identity has Read access to the physical path. If this
server is joined to a domain, and the application pool identity is
NetworkService or LocalSystem, verify that \$ has
Read access to the physical path. Then test these settings again.
When I try to request the site as http://website1/ I get the following
error:
HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of the
access control list (ACL) configuration or encryption settings for this
resource on the Web server.
I've set up Failed Request Tracing Rules for the 401.3 and no clues how to
resolve there.
I can use IIS Manager > Advanced Settings to change the Physical Path
Credentials using my user name and password and website1 will load just
fine.
I'd really like to understand how to resolve this and don't understand why
the pass through authentication is not passing through so to speak allowing
me as an anonymous user to request and load website1 without using IIS
Manager to apply impersonation.
Re: IIS7 Pass-through authentication failing
am 05.04.2008 21:46:20 von Steve Schofield
Try running process monitor aka Filemon to see what folder is being blocked.
Enable auditing to see object access. Here is a post that discusses how to
enable auditing and links to process monitor.
http://weblogs.asp.net/steveschofield/archive/2008/03/07/det ecting-permission-issues-using-auditing-and-process-monitor. aspx
--
Best regards,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
"clintonG" wrote in message
news:ev76%23nrlIHA.696@TK2MSFTNGP05.phx.gbl...
> On Vista I've tried creating websites at Documents\My Web Sites\website1
> for example. Despite adding the accounts and permissions for NETWORK
> SERVICE, IIS_USRS as well as accounts for Administrators and my own self
> as a user I'm getting a 401.3 when requesting http://website1/. Note I
> also use the hosts file for bindings to localhost.
>
> Using IIS Manager > Add a Web Site > Test Settings I get the following
> warning:
>
> Test Connection:
> Authorization Cannot verify access to path ...
>
> The server is configured to use pass-through authentication with a
> built-in account to access the specified physical path. However, IIS
> Manager cannot verify whether the built-in account has access. Make sure
> that the application pool identity has Read access to the physical path.
> If this server is joined to a domain, and the application pool identity is
> NetworkService or LocalSystem, verify that \$ has
> Read access to the physical path. Then test these settings again.
>
> When I try to request the site as http://website1/ I get the following
> error:
>
> HTTP Error 401.3 - Unauthorized
> You do not have permission to view this directory or page because of the
> access control list (ACL) configuration or encryption settings for this
> resource on the Web server.
>
> I've set up Failed Request Tracing Rules for the 401.3 and no clues how to
> resolve there.
>
> I can use IIS Manager > Advanced Settings to change the Physical Path
> Credentials using my user name and password and website1 will load just
> fine.
>
> I'd really like to understand how to resolve this and don't understand why
> the pass through authentication is not passing through so to speak
> allowing me as an anonymous user to request and load website1 without
> using IIS Manager to apply impersonation.
Re: IIS7 Pass-through authentication failing
am 06.04.2008 02:36:16 von Patrice
Thanks Steve. I'm going to follow up on your referrals but get this...
I use the hosts file to enable multiple web sites on Vista when using IIS7
and bind each website to the loopback adapter (127.0.0.1). This makes
testing web sites in a browser fast, easy and perhaps reliable using short
names such as http://css1. In fact we no longer even have to provide the
browser with the http protocol, just type css1 into a browser for example
and the web site will load.
So while trying to learn more about this physical path pass-through
authentication issue I went back into IIS Manager and deleted a web site
named css1. I recreated css1 and bound it to the IP of the machine (instead
of All Assigned). Requesting the web site then loads the Default Website. I
then used IIS Manager to delete css1 and then recreated css1 leaving All
Assigned and binding in the hosts file to the loopback IP.
Now lo and behold --Vista Voodoo-- the pass-through authentication now
allows the anonymous user to request css1 when the physical path is in the
My Web Sites directory I have discussed having problems with.
Now, to figure out what was going on I have to actually figure out how to
make it fail again? I am ready for a long long rest in a nice quiet place
where they have a nurse keep an eye on the patients ;-)
<%= Clinton
"Steve Schofield" wrote in message
news:%23WPK7W1lIHA.3636@TK2MSFTNGP02.phx.gbl...
> Try running process monitor aka Filemon to see what folder is being
> blocked. Enable auditing to see object access. Here is a post that
> discusses how to enable auditing and links to process monitor.
>
> http://weblogs.asp.net/steveschofield/archive/2008/03/07/det ecting-permission-issues-using-auditing-and-process-monitor. aspx
>
> --
>
> Best regards,
>
> Steve Schofield
> Windows Server MVP - IIS
> http://weblogs.asp.net/steveschofield
>
>
> "clintonG" wrote in message
> news:ev76%23nrlIHA.696@TK2MSFTNGP05.phx.gbl...
>> On Vista I've tried creating websites at Documents\My Web Sites\website1
>> for example. Despite adding the accounts and permissions for NETWORK
>> SERVICE, IIS_USRS as well as accounts for Administrators and my own self
>> as a user I'm getting a 401.3 when requesting http://website1/. Note I
>> also use the hosts file for bindings to localhost.
>>
>> Using IIS Manager > Add a Web Site > Test Settings I get the following
>> warning:
>>
>> Test Connection:
>> Authorization Cannot verify access to path ...
>>
>> The server is configured to use pass-through authentication with a
>> built-in account to access the specified physical path. However, IIS
>> Manager cannot verify whether the built-in account has access. Make sure
>> that the application pool identity has Read access to the physical path.
>> If this server is joined to a domain, and the application pool identity
>> is NetworkService or LocalSystem, verify that \$
>> has Read access to the physical path. Then test these settings again.
>>
>> When I try to request the site as http://website1/ I get the following
>> error:
>>
>> HTTP Error 401.3 - Unauthorized
>> You do not have permission to view this directory or page because of the
>> access control list (ACL) configuration or encryption settings for this
>> resource on the Web server.
>>
>> I've set up Failed Request Tracing Rules for the 401.3 and no clues how
>> to resolve there.
>>
>> I can use IIS Manager > Advanced Settings to change the Physical Path
>> Credentials using my user name and password and website1 will load just
>> fine.
>>
>> I'd really like to understand how to resolve this and don't understand
>> why the pass through authentication is not passing through so to speak
>> allowing me as an anonymous user to request and load website1 without
>> using IIS Manager to apply impersonation.
>
Re: IIS7 Pass-through authentication failing
am 07.04.2008 04:57:10 von Steve Schofield
That sounds like par for the course. :) Personally, I would let it go if
it's working. If you are really interested in what is going on. I would
check the applicationHost.config to see what the bindings are during each
test. Look in the section.
I would setup your original config and see if you can reproduce the error,
it sounds like you can't do that, but if you have access to another Vista
box, use that machine to see if the behavior is the same.
Other things that comes up when this happens is browser caching can cause
inconsistent results. I would recycle IIS after each test so no credentials
are cached. Those are a couple things that come to mind.
--
Best regards,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
"clintonG" wrote in message
news:e1fpSB4lIHA.2368@TK2MSFTNGP03.phx.gbl...
> Thanks Steve. I'm going to follow up on your referrals but get this...
>
> I use the hosts file to enable multiple web sites on Vista when using IIS7
> and bind each website to the loopback adapter (127.0.0.1). This makes
> testing web sites in a browser fast, easy and perhaps reliable using short
> names such as http://css1. In fact we no longer even have to provide the
> browser with the http protocol, just type css1 into a browser for example
> and the web site will load.
>
> So while trying to learn more about this physical path pass-through
> authentication issue I went back into IIS Manager and deleted a web site
> named css1. I recreated css1 and bound it to the IP of the machine
> (instead of All Assigned). Requesting the web site then loads the Default
> Website. I then used IIS Manager to delete css1 and then recreated css1
> leaving All Assigned and binding in the hosts file to the loopback IP.
>
> Now lo and behold --Vista Voodoo-- the pass-through authentication now
> allows the anonymous user to request css1 when the physical path is in the
> My Web Sites directory I have discussed having problems with.
>
> Now, to figure out what was going on I have to actually figure out how to
> make it fail again? I am ready for a long long rest in a nice quiet place
> where they have a nurse keep an eye on the patients ;-)
>
> <%= Clinton
>
>
> "Steve Schofield" wrote in message
> news:%23WPK7W1lIHA.3636@TK2MSFTNGP02.phx.gbl...
>> Try running process monitor aka Filemon to see what folder is being
>> blocked. Enable auditing to see object access. Here is a post that
>> discusses how to enable auditing and links to process monitor.
>>
>> http://weblogs.asp.net/steveschofield/archive/2008/03/07/det ecting-permission-issues-using-auditing-and-process-monitor. aspx
>>
>> --
>>
>> Best regards,
>>
>> Steve Schofield
>> Windows Server MVP - IIS
>> http://weblogs.asp.net/steveschofield
>>
>>
>> "clintonG" wrote in message
>> news:ev76%23nrlIHA.696@TK2MSFTNGP05.phx.gbl...
>>> On Vista I've tried creating websites at Documents\My Web Sites\website1
>>> for example. Despite adding the accounts and permissions for NETWORK
>>> SERVICE, IIS_USRS as well as accounts for Administrators and my own self
>>> as a user I'm getting a 401.3 when requesting http://website1/. Note I
>>> also use the hosts file for bindings to localhost.
>>>
>>> Using IIS Manager > Add a Web Site > Test Settings I get the following
>>> warning:
>>>
>>> Test Connection:
>>> Authorization Cannot verify access to path ...
>>>
>>> The server is configured to use pass-through authentication with a
>>> built-in account to access the specified physical path. However, IIS
>>> Manager cannot verify whether the built-in account has access. Make sure
>>> that the application pool identity has Read access to the physical path.
>>> If this server is joined to a domain, and the application pool identity
>>> is NetworkService or LocalSystem, verify that \$
>>> has Read access to the physical path. Then test these settings again.
>>>
>>> When I try to request the site as http://website1/ I get the following
>>> error:
>>>
>>> HTTP Error 401.3 - Unauthorized
>>> You do not have permission to view this directory or page because of the
>>> access control list (ACL) configuration or encryption settings for this
>>> resource on the Web server.
>>>
>>> I've set up Failed Request Tracing Rules for the 401.3 and no clues how
>>> to resolve there.
>>>
>>> I can use IIS Manager > Advanced Settings to change the Physical Path
>>> Credentials using my user name and password and website1 will load just
>>> fine.
>>>
>>> I'd really like to understand how to resolve this and don't understand
>>> why the pass through authentication is not passing through so to speak
>>> allowing me as an anonymous user to request and load website1 without
>>> using IIS Manager to apply impersonation.
>>
>
Re: IIS7 Pass-through authentication failing
am 07.04.2008 05:17:08 von Steve Schofield
One thing I forgot to add was when troubleshooting odd things, use Wfetch
when you are getting inconsistent results. Fiddler can help too.
How to use Wfetch
http://support.microsoft.com/kb/284285
--
Best regards,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
http://www.IISLogs.com
Log archival solution.
Install, Configure, Forget
"clintonG" wrote in message
news:e1fpSB4lIHA.2368@TK2MSFTNGP03.phx.gbl...
> Thanks Steve. I'm going to follow up on your referrals but get this...
>
> I use the hosts file to enable multiple web sites on Vista when using IIS7
> and bind each website to the loopback adapter (127.0.0.1). This makes
> testing web sites in a browser fast, easy and perhaps reliable using short
> names such as http://css1. In fact we no longer even have to provide the
> browser with the http protocol, just type css1 into a browser for example
> and the web site will load.
>
> So while trying to learn more about this physical path pass-through
> authentication issue I went back into IIS Manager and deleted a web site
> named css1. I recreated css1 and bound it to the IP of the machine
> (instead of All Assigned). Requesting the web site then loads the Default
> Website. I then used IIS Manager to delete css1 and then recreated css1
> leaving All Assigned and binding in the hosts file to the loopback IP.
>
> Now lo and behold --Vista Voodoo-- the pass-through authentication now
> allows the anonymous user to request css1 when the physical path is in the
> My Web Sites directory I have discussed having problems with.
>
> Now, to figure out what was going on I have to actually figure out how to
> make it fail again? I am ready for a long long rest in a nice quiet place
> where they have a nurse keep an eye on the patients ;-)
>
> <%= Clinton
>
>
> "Steve Schofield" wrote in message
> news:%23WPK7W1lIHA.3636@TK2MSFTNGP02.phx.gbl...
>> Try running process monitor aka Filemon to see what folder is being
>> blocked. Enable auditing to see object access. Here is a post that
>> discusses how to enable auditing and links to process monitor.
>>
>> http://weblogs.asp.net/steveschofield/archive/2008/03/07/det ecting-permission-issues-using-auditing-and-process-monitor. aspx
>>
>> --
>>
>> Best regards,
>>
>> Steve Schofield
>> Windows Server MVP - IIS
>> http://weblogs.asp.net/steveschofield
>>
>>
>> "clintonG" wrote in message
>> news:ev76%23nrlIHA.696@TK2MSFTNGP05.phx.gbl...
>>> On Vista I've tried creating websites at Documents\My Web Sites\website1
>>> for example. Despite adding the accounts and permissions for NETWORK
>>> SERVICE, IIS_USRS as well as accounts for Administrators and my own self
>>> as a user I'm getting a 401.3 when requesting http://website1/. Note I
>>> also use the hosts file for bindings to localhost.
>>>
>>> Using IIS Manager > Add a Web Site > Test Settings I get the following
>>> warning:
>>>
>>> Test Connection:
>>> Authorization Cannot verify access to path ...
>>>
>>> The server is configured to use pass-through authentication with a
>>> built-in account to access the specified physical path. However, IIS
>>> Manager cannot verify whether the built-in account has access. Make sure
>>> that the application pool identity has Read access to the physical path.
>>> If this server is joined to a domain, and the application pool identity
>>> is NetworkService or LocalSystem, verify that \$
>>> has Read access to the physical path. Then test these settings again.
>>>
>>> When I try to request the site as http://website1/ I get the following
>>> error:
>>>
>>> HTTP Error 401.3 - Unauthorized
>>> You do not have permission to view this directory or page because of the
>>> access control list (ACL) configuration or encryption settings for this
>>> resource on the Web server.
>>>
>>> I've set up Failed Request Tracing Rules for the 401.3 and no clues how
>>> to resolve there.
>>>
>>> I can use IIS Manager > Advanced Settings to change the Physical Path
>>> Credentials using my user name and password and website1 will load just
>>> fine.
>>>
>>> I'd really like to understand how to resolve this and don't understand
>>> why the pass through authentication is not passing through so to speak
>>> allowing me as an anonymous user to request and load website1 without
>>> using IIS Manager to apply impersonation.
>>
>