IIS - Custom Application Pool identity not being used - asp.net

I have an ASP.NET web application that uses an Application Pool with a custom identity set to connect to DB via Trusted Authentication.
I have this working correctly on a dozen servers, yet I am having an issue with one: IIS is not using the custom identity and is instead attempting to impersonate the user when initiating the DB connection.
I verified I have the app pool configured to use the custom account and my web.config has <identity impersonate="false"/>. In fact I'm using an exact copy of the code and web.config from another properly working box.
I do have Windows Authentication enabled for the app to get the user login, but not for impersonation, and this is working correctly on 12 of 13 servers. If I disable Windows Authentication on the impacted box, I get Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON when accessing the site.
I tried recreating the application pool and the the IIS Application to no avail.
Anyone seen this behavior before? I'm running out of ideas. Thanks!
ASP.NET MVC4
IIS 7.5
Server 2008 R2 64bit

Related

Access denied when browsing MVC web application with windows authentication

I deployed my MVC web Application on a machine with windows server 2008 R2(web server) that joined the company domain (the web server is not the same server has the active directory installed) my application is using integrated windows authentication. When browsing the application I got prompted by dialog to enter the login credentials and after login I got the error
"403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied."
I configured the Application authentication on IIS I disabled all authentication types and enabled only the windows authentication and Asp.net impersonation, also I set the identity of the application pool to be "local system"
My Question are: How to fix this issue? and Why the browser (all browsers not only IE) prompt the user with user credentials dialogue?
Note: I Just created a web application using Visual studio 2015 and selected authentication type "windows authentication" and left the default configuration as it is.

IIS should not ask login prompt in windows authentication

i have hosted a asp.net web applciation in windows server 2008 R2,IIS 7.0 which was developed in .net framework3.5. i have given the below authentications in IIS.
while i am accessing that website from the other network ,its asking for username and password of the server.
actually it should not ask for the login without enabling the Anonymous Authentication .
You'll need to enable anonymous authentication - there's no other way to do this

Enable windows logon prompt in asp.net application

I have a asp.net application which uses windows authentication. The user are able to access the site without problem as it a intranet application within the organization. But now i need the user to prompt window logon after filling in the details it should authenticate in IIS. How can i achieve this.

Kerberos authenticated MVC App inside an anonmyous access Site

Goal
I am trying to deploy an MVC3 application that requires Windows Authentication (specifically Kerberos) as an Application within an older asp.net Anonymous Authentication Website.
Symptoms
In IIS 7.5 Express on my box it works perfect, obviously. When I deploy it to IIS 7.5 as its own site I get challenged for domain credentials, though none are accepted. When I deploy it as an application I get the custom error page back from the hosting site. To confirm - Kerbtray shows no ticket in either scenario.
Details
Both the Site and the new child Apps run on the same application pool, and the application pool runs as AppPoolIdentity. That built-in IIS app pool account (IIS AppPool\MyAppPoolName) has full Read/Execute permissions down both the Site's and the App's folder trees. No impersonation is used.
Question(s)
Is there anything special I need to do to get NTLM and Kerberos working on an App inside an anonymous auth Site?
If not, any advice on things/places to look would be great - the ApplicationHost.config and the app's web.config files look fine.
EDIT: For clarification, this is all on a corporate network that uses Kerberos extensively for other purposes. "Site" refers to an IIS Website and is distinguished from an "Application" that must be hosted within an IIS Site.
After working on this a bit more, I found the answer:
Nothing special is needed to host a Windows (Kerberos) authenticated IIS App within an Anonymous authenticated IIS Site on IIS 7.5 so long as:
a. Kernel Mode Authentication is On - No SPNs required.
b. The application uses the same App Pool Identity as the hosting parent. Different App Pools and their identities can be used, but this does require further NTFS permissions and is beyond the scope of this particular issue.
The issue with my error was something much more simple yet elusive... the parent Site had a custom set of error pages defined in <HttpErrors> including pages for 401 and 403.
This was the error page returned when the user requested a page from the nested Application because Kerberos sends a 401 first, to challenge the user for credentials and ask/him her to get and provide a Kerberos ticket... but because the parent Site returned a 200 response (the custom error page) the user never got a Kerberos ticket.
With these off, the user is now appropriately getting a Kerberos ticket and falls back to NTLM as by default.

IIS 7 asp.net application - pass through windows authentication from client to Sharepoint web service (not app pool account)

I'm a little stuck configuring IIS to enable full "pass through" authentication on a web app that communicates with Sharepoint 2010 web services in the code behind. This all runs on a local domain.
I've set the site up as "Windows" authentication in the web.config:
The "asp:LoginName" control displays my domain\user id correctly when the app is deployed to the site.
Everything works fine, however all the work done in the back end connecting to Sharepoint runs under the AppPool account, not the user logged in running the site.
For audit reasons, I want to be able to run everythign as the user that is running the site, not the app pool account.
Can I configure the App Pool to use (or impersonate) the client user account? I thought this would be straight forward, but I'm struggling to see what I have to do to enable this in IIS.
Impersonation isn't set up in IIS; rather, it's configured through the ASP.NET application itself in web.config.
See http://support.microsoft.com/kb/306158 for more details, but in brief as you find that the ASP.NET LoginName control sees your credentials your user principal is set correctly. So, just including
<identity impersonate="true" />
in your web.config file should work fine.

Resources