I have some ASP.NET 4.6.2 web sites that I want to run from a UNC share. The reason why I am doing this is to implement IIS Shared Config but as a first step I just want the nodes to run properly.
Each server (the multiple web servers and the server with the UNC share) are members of the same domain, the app pools for each web server is running under a standard domain "service" account, and the accounts have read/write access to both the share and the underlying folders/files. (I initially tried running with minimal permissions but that did not work.) The apps are using WS-Federation claims so the sites are set to Anonymous.
The site almost works in that the MVC views and CSS stylesheets are rendered but other static content like images and fonts come back with 401 Unauthorized. The odd thing (one of the odd things) is that the static css, images, and font files are all under the same /Content folder but the css works.
My thought is that even though the app pool is running under a domain account with proper permissions, the image and font static content is being accessed via a different account other than what is used for the app pool. This seems to be born out by the fact that css and javascript static content works because it is bundled in the web application and the images and fonts could be served by IIS directly?
In addition, I used Sysinternals Process Monitor from each web server to watch the file I/O requests. What is puzzling is that for the resources returning 401, I see some requests with Success result whereas other requests for the same resource return Access Denied. Both requests are executing CreateFile operations, both requests are listed with the User set to domain-based app pool account, but the failed request shows Impersonating: NT AUTHORITY\IUSR on the properties dialog.
I even tried adding each of the web server computer accounts with permissions to the share and underlying folders but that did not make a difference.
What am I missing?
