2

I am moving some old web applications from an old Server to a Server 2016. We are using a domain account for the application identity and we need to use windows authentication. I am getting a 401.3 error when I try a test.html page on the server. I am only getting this for static content though as I tried a home.aspx page and that page worked.

Things I have tried/checked

  • Static Content is installed under the Common HTTP Features

  • The domain account used for the app pool has full access to the directory containing test.html

  • Tried NTLM first as provider instead of Negotiate on IIS Windows Authentication Providers

  • Tried "Enable Kernel-mode authentication" checked and unchecked

  • Tried all settings of "Extended Protection" under Advanced settings for windows authentication.

  • Tried ProcMon. All I get when I filter for test.html is 2 QueryOpen operations with result SUCCESS

JoeDirt80
  • 21
  • 1
  • Add Authenticated Users to Users group. https://blogs.msdn.microsoft.com/webtopics/2009/06/25/troubleshooting-http-401-3-errors-with-process-monitor/ – Lex Li Aug 10 '18 at 16:13
  • Just checked it and it looks like Authenticated Users was already in the Users group – JoeDirt80 Aug 10 '18 at 17:50

1 Answers1

0

The solution for this was that we need to have the account that was running the application pool set up in the "Impersonate a client after authentication." Our local group policy had this locked down. I am guessing the default install may have IIS_USRS group in this policy but our server did not.

JoeDirt80
  • 21
  • 1