IIS site keeps prompting for credentials for Windows Authentication method

3
votes

I need some help to understand what is the exactly reason I can'g get Windows Authentication working on IIS site for a specific user's group. What is happening is that even my user being part of the group which I gave access to the site, IE keeps prompting for my credentials and even when I type the password the HTTP response is 401 (Unauthorized). I'm also not allowed to change IE's settings to add any site to the trusted list (it's blocked by the company). In the other hand, besides the fact that it's blocked, the site domain is listed like (*.domain.com)

Follow bellow the scenario:

  • Server: Windows Server 2012
  • IIS: 8.5
  • Users: DomainA\MySimpleAdUser, DomainB\ServiceAdUser
  • Groups: DomainB\MYGROUP (AD Group which contains DomainA\MySimpleAdUser)
  • IIS_IUSRS (Local Server group which contains DomainB\ServiceAdUser)

Pool Settings

  • Name: PoolA
  • Process Model > Identity > DomainB\ServiceAdUser

Settings on Server Level

  • ASP.NET > .NET Authorization

    • Allow | Users: All Users | Entity type local

  • IIS > Authentication

    • Anonymous Authentication disabled
    • Windows Authentication Enabled
      • Extended protection: Off
      • Enable Kernel-mode authentication: Enabled
      • Providers: Negotiate(1st) -> NTLM(2nd)
  • IIS > Authorization Rules
    • Allow | Roles: DomainB\MYGROUP | Entity type local

Settings on Site Level (which runs on a valid SSL certificate on 443 port, this is the only binding)

  • Pool: PoolA

  • ASP.NET > .NET Authorization

    • Allow | Users: All Users | Entity type inherited

  • IIS > Authentication

    • Anonymous Authentication disabled
    • Windows Authentication Enabled
      • Extended protection: Off
      • Enable Kernel-mode authentication: Enabled
      • Providers: Negotiate(1st) -> NTLM(2nd)

  • IIS > Authorization Rules

    • Allow | Roles: DomainB\MYGROUP | Entity type inherited

Permissions on site root directory

  • Full control permission to IIS_IUSRS
  • Read&Execute, List and Read permissions to MYGROUP

Web.config

  • This is the only configuration line that exists regarding authentication: <authentication mode="Windows" />

=============================

Observations

  • I already tried to use my specific user to get access to the site, but stills prompt for the credentials

  • The only way to get the site up and running is when I allow anonymous access to it.

    Please help me to figure out what is missing. I appreciate any help.

2
windowsauthenticationiis
Make sure the user that you are trying to access is member of the MYGROUP and it is replicated.Anderson Oki
If the user trying to login recently changed their password, make sure they clear their stored credentials in Credential Manager before attempting to login again. A shutdown and bootup (not a restart) should fix that issue as well.TylerH

2 Answers

9
votes

There could be an issue with security loopback check. Please find below procedure to disable it.

  • Click Start, click Run, type regedit, and then click OK.
  • Backup the registry
  • In Registry Editor, locate and then click the following registry key:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  • Right-click Lsa, point to New, and then click DWORD Value.
  • Type DisableLoopbackCheck, and then press ENTER.
  • Right-click DisableLoopbackCheck, and then click Modify.
  • In the Value data box, type 1, and then click OK.
  • Quit Registry Editor, and then restart your computer.
5
votes

I've found that if the authenticated user is not able to read the folders for static content in your web app, it will authenticate you, then deny access. This can be solved by Granting local_Machine\Authenicated_Users access to the needed resources.

In my case, I added Authenticated_users to the IIS_IUSRS Group and it solved my problem. Be aware that this can also grant any authenticated user to all files and folders available to the IIS_IUSRs group. So be careful that these users cannot access the file system by any other means. A separate group granting NT AUTHORITY\Authenticated_Users just enough rights to read pngs, and static content is the best way to go.

Config: Windows Server 2012 R2 Running IIS 8.5, NET Framework 4.5, with static content enabled.