1

401 - Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied.

Receiving this error message after changing IIS and .NET Authorization Rules to only Allow local "Administrators" roles

OS: Windows Server 2016 running IIS 10

Our Application Pool is running under an ApplicationPoolIdentity. Anonymous Authentication is enabled and running App Pool identity. ASP.NET impersonation is enabled as well. Windows Authentication is disabled (this is an externally facing website)

I have added the IIS AppPool\AppPool to the IIS_IUSRS group, Administrator group, and Users group.

I also granted Full Control ACLs for IIS AppPool\AppPool and the IIS_IUSRS group to the Website path (using icacls "WebsitePath" /grant "IIS AppPool\AppPool:(OI)(CI)(IO)F" /T)

Still, no luck. just keep getting a 401. running Process Monitor doesn't show any error status or permission issues. There is nothing in the server event logs either.

What am I missing still??

Thanks

LB79
  • 51
  • 3
  • "ASP.NET impersonation is enabled as well", why? Turn it off. ".NET Authorization Rules to only Allow local "Administrators" roles", again why? It is a site that only allows anonymous users, so every login user is considered the same, and no need to do extra authorization. – Lex Li Apr 02 '21 at 15:51
  • I tried to turn off impersonation and made no difference. As far as Administrators authorization, it's a new DISA STIG requirement The IIS 10.0 web server must have a global authorization rule configured to restrict access. By default, it's listed allow All Users, but this STIG is asking to only allow Administrators role. – LB79 Apr 02 '21 at 16:05
  • Hire an experienced freelancer or study a comprehensive IIS administration book. It is impossible to type lengthy contents to teach on basic IIS/ASP.NET authentication and authorization. – Lex Li Apr 02 '21 at 16:08
  • I think that STIG is just out-to-lunch. Granting admin to IIS_IUSRs and all that should not be done and it violates probably a dozen more STIGs. I marked it as NA and commented that my application does not use .NET role based auth, it requires anonymous access and the application handles authentication. – imjosh Nov 10 '21 at 22:04

0 Answers0