I have an Active Directory domain lab set up with AutomatedLab (Bunch of Hyper-V VMs) to test some web server configurations. Domain is CONTOSO.
I am currently testing out Virtual Directories on the web server (web1.contoso). In terms of authorization, here is how it's currently configured:
|-- MACHINE: Anonymous authentication (other auth disabled)
|-- Default Web Site: Anonymous authentication (other auth disabled)
|-- Virtual Directory (name: example): Windows authentication (other auth disabled)
The windows authentications providers from top to bottom are "NTLM" and "Negotiate".
I am using DefaultAppPool as the application pool for the default web site and virtual directory. The pool identity is ApplicationPoolIdentity.
I have created a corresponding file directory for the "example" virtual directory at c:\example on the web server. I gave it the following folder permissions with no inheritance:
| User/Group | Permissions | Entity Description |
|---|---|---|
| ConfigManagement | Read/Write | AD group. Any user that belongs to the Config Management group. |
| IIS_IUSRS | Read | iis_iusr group. |
| Administrators (WEB1\Administrators) | Read/Write | Default group. |
| System | Read/Write | Default group. |
| Users (WEB1\Users) | Read/Write | Default group. |
When I visit the virtual directory on localhost (while remoted onto web1.CONTOSO as a server admin), I was successful and was able to see the index.html I placed in there.
Using a Windows 10 VM client1.CONTOSO, I logged on as a normal user; the user is a member of the ConfigManagement security group and also a domain user. When I visit the virtual directory at https://web1.CONTOSO/example, I end up getting a pop up asking for the user's credentials. Entering it will repeatedly make the pop up window re-appear until I cancel, which then I receive a 401.2 unauthorized error on the browser.
Checking the Failed Trace logging, it seems to ignore the fact that I have configured Windows Authentication for the virtual directory and fails with authenticating?
Here is a portion of the stack trace that might be relevant:
I have tried to change the authentication at the web site and machine level to Windows Authentication, restarted the web1.CONTOSO server VM, but it still exhibits the same issues when a client tries to access the virtual directory.
My initial assumption that enabling windows authentication and disabling anonymous authentication on the virtual directory itself should be more than sufficient, but that seems to not be the case. I'm not sure how to proceed from here or if I missed anything.
Edit:
Web.config for the virtual directory:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="NTLM" />
<add value="Negotiate" />
</providers>
</windowsAuthentication>
</authentication>
</security>
<tracing>
<traceFailedRequests>
<remove path="*" />
<add path="*">
<traceAreas>
<add provider="ASP" verbosity="Verbose" />
<add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
<add provider="ISAPI Extension" verbosity="Verbose" />
<add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket" verbosity="Verbose" />
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="200-999" />
</add>
</traceFailedRequests>
</tracing>
</system.webServer>
</configuration>
The windows authentication settings on the virtual directory:
