Technical: Microsoft – IIS – IIS Configuration Manager – Error Message – Error message 401.2.: Unauthorized: Logon failed due to server configuration

Background

A couple of weeks ago, we experienced problems provisioning a Third party application on one of our corporate web servers.

Though, I did not come up with solution, I think it still merits sharing.

 

Introduction

The problem is IIS Configuration in nature and so for the sake of simplicity let us write a basic ASP.Net Hello World application.

 

 

Code – Simple Hello World ASPX (C#)

Here is a simple Hello World ASPX application written in C#.

I used John Peterson’s posting – Writing Your First ASP.NET Page — http://www.codeguru.com/csharp/.net/net_asp/tutorials/article.php/c19305/Writing-Your-First-ASPNET-Page.htm as my jump-off.

 

<%@ Page Language="C#" %>
 
<script runat="server">

    protected void Page_Load(Object Sender, EventArgs E)
	{
	    String strMessage;
		
	    DateTime objNow = DateTime.Now;
		
	    String strDayofWeek = objNow.ToString("dddd");
	    String strTime = objNow.ToString("t");
	    String strDay = objNow.ToString("D"); 
		
	    strMessage = strTime + "  " + " on " + " " 
                                + strDay;
		
	    HelloWorld.Text = "Hello World! " + "<BR>" 
				+ "It is " 
				+ "<i>"
				+ strMessage
				+ "</i>"						;
		
		
	   String strUsr ;
           strUsr = HttpContext.Current.Request.LogonUserIdentity.Name;
		
	   HelloYou.Text = "I have your name as " 
					+ "<i>"
					+ strUsr 
	  			        + "</i>"													;
		
		
    }
	
</script>
 
<html>
<head>
<title>ASP.NET Hello World</title>
 
</head>
<body bgcolor="#FFFFFF">
 
<p><asp:label id="HelloWorld" runat="server" /></p>

<p><asp:label id="HelloYou" runat="server" /></p>

 
</body>

 

Output

HelloWorld-Good

So everything is good.

 

IIS Configuration – .Net Authorization Rules

But, nothing is straightforward when machines are built and tightened to Corporate Standards set by well paid Security Professionals.

This appears to be part of the security hardening:

DotNetAuthorizationRules

It seems that by default “all users are denied.”.

And, so a schmuck / mugu like me comes along and tries to make quick work of installing this Application.

But, I am stuck at having to authenticate.

The prompt and error screens are pasted below.

Authentication Required

AuthenticationRequired

 

 

Authentication Required

Textual

Access is denied.

Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server’s administrator for additional assistance.

Image

AccessIsDenied--ErrorMessage--401

 

Remediation

To correct remove the denial rule outright or restrict it to specific verbs.

 

Full Denial

Here is our Deny applied to all Users and Verbs.

AuthorizationRules

 

AuthorizationRules

 

Denial – Specific Verbs

HTTP Verbs list has been increasingly quite a bit.

Here are the ones currently supported by Windows.

HTTP Verb Enumeration
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364664(v=vs.85).aspx

Here is us choosing to filter out Put/Delete/Move/Copy verbs.

AuthorizationRules-FilteroutVerbsSpecific

 

Conclusion

When you get IIS Authentication & privilege errors, you occasionally have to check a few places and find silent hardening rules.

Or better still, engage the Subject Matter Experts (SME) within your organization and see if they have documents on IIS base-lining & error correction.

 

 

 

 

 

 

 

 

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s