0

I have a site hosted using IIS on a Windows Server 2012 R2 server. The application is configured to use an application pool that uses the NetworkService account as the application pool identity. The site is also configured to use the pass-through authentication and both basic and Windows authentication (as per the developers specification).

This application is supposed to be deployed so that the end-users account is used to verify that they can access the application (a user list is kept in the applications database), and all files in the WWW root directory are accessed using the NetworkService account. However, it appears that the end-users account is being used to access files in the WWW directory. This only works for users who have access to the server: granting a specific user access to the WWW directory allows them to run the application. All other users receive a 401.5 error originating from the IsapiModule.

How do I configure this server so that it will access the files on disk using the application user identity and not the passed-through account used for authentication?

Liam M
  • 111
  • 1
  • 5

1 Answers1

0

Disable anonymous authentication and enable Windows Authentication. The client computers and the server itself will both need to be joined to the same AD domain for this to work. You then grant each AD user read/execute permissions to the web root folder (NTFS folder permissions) - the authentication is then automatic - the users will either get a 403 access denied, or they'll see the website. The identity of the application pool itself plays now part in this (however, don't use Network Service, this is poor security practice anyway, switch to ApplicationPoolIdentity).

Also, for managing access to the website, don't grant individual users direct read/execute access to the webroot folder. Instead, create an AD group, make all users who need the site members of the group, then grant the group read/execute access to the website.

Matthew Wanders
  • 166
  • 1
  • 5