1

I have an IIS7 website that is set to run in its own application pool. The application pool is configured as:

Managed Pipeline Mode: Integrated
Identity: I_siteuser (account is member of IIS_IUSRS)

The website physical path is: d:\websites\testsite\www and the account I_siteuser has modify permissions on the folder.

If I set the website to use pass-through authentication I get a security error:

HTTP Error 401.3 - Unauthorized

If I configure the site to use a specific user (I_siteuser) I can view pages and run scripts just fine.

I was under the impression that if I use pass-through authentication then the identity of the application pool would be used (which in this case is configured to run under the identity of I_siteuser).

This seems not to be the case and the identity that the site runs under is actually the built-in account IUSR. I verified this by adding read/exec rights to the website folder for IUSR.

Is there another setting I'm missing here?

Update:

I also enabled Basic Authentication and Windows Authentication on the site but this just causes login dialogues to appear.

I also see the worker process for the application pool running under the identity of I_siteuser in task manager.

Kev
  • 7,877
  • 18
  • 81
  • 108

2 Answers2

2

I think you are misunderstanding pass through authentication. If pass through authentication is enabled, one of 2 things will happen:

  • for anonymous authentication, the user ID specified for anonymous access needs access to the physical path for the files. (By default, this is the built in IUSR account, but can be configured in the Edit action for anonymous auth)

  • if you have authentication enabled, then the authenticated user credentials need access to the physical path of the files. The application pool identity will also need read-only access to the files.

MattB
  • 11,194
  • 1
  • 30
  • 36
  • Matt - "...but can be configured in the Edit action for anonymous auth" - the context menus for each of the Authentication types was completely in my blindspot. I was staring at that for ages. Appreciated. – Kev Jul 09 '09 at 14:31
  • Matt - we are seeing this issue as well with authentication enabled. Do you know of anywhere where the file access requirements are defined by Microsoft - I can't find it anywhere – Chris Gill May 18 '10 at 15:51
1

Check the authentication methods for the site and make sure basic and/or lanman authentication is enabled.

JR

Are any of the files in the directory including files from other directories where access is restricted? Also try granting read access to the group IIS_IUSRS, not just to your I_sitename user. Obviously make sure anonymous access is enabled in the site (or virtual directory) authentication settings.

John Rennie
  • 7,776
  • 1
  • 23
  • 35
  • I did that too but get prompted for a login. – Kev Jul 09 '09 at 10:10
  • See my edit above – John Rennie Jul 09 '09 at 10:50
  • John, thanks for the time. There aren't any other folders. There's just a couple of files in the www folder: test.asp and test.html both inherit their ACL from the www folder. Granting access to IIS_IUSRS on www causes authentication to fail as well (401.3 - Unauthorized). The only way this works with pass-through auth is to give the built-in IUSR account access to thr www folder. – Kev Jul 09 '09 at 11:22
  • John cheers for the help +1, matt clinched the right answer with the mention of the Anonymous Authentication Edit action which I completely didn't see. – Kev Jul 09 '09 at 14:36