IIS URL Authorization, Forms authentication and the 401.2 error

I recently experienced a confusing, head-ache-causing problem while deploying an MVC application to a Windows Server 2008.
The issue looked simple enough: the Web server returned a 401 (unauthorized) error when I tried to access the application, which required Forms Authentication to function properly.

Analyzing the issue

I started out with the basics. Check the anonymous and forms authentication settings, check the AppPool configuration, check if the AppPool user has all necessary rights, etc.

But all to no real avail. IIS kept redirecting me to the logon page (even when the session was authenticated!). Using fiddler it became more and more clear that the problem was not in the code, but somewhere in the configuration of IIS. But I had just re-checked everything that, to my knowledge, could cause the problem..

I quickly created an empty .NET application with a simple (authentication-free) web.config. This would guarantee that the problem lied in the IIS configuration, and not in the application itself. I still got the 401.2 error.

Identifying the issue

So, somewhere in IIS, something was going terribly wrong.. After hours of searching, it turned out that there was a feature installed called 'URL Authorization'..
According to Microsoft, URL authorization simplifies the authentication scheme of IIS, allowing you to put authorization rules on the actual URL instead of the underlying file system resource. Which is actually a great feature!

URL Authorization does add another abstraction over the standard IIS authentication mechanism, which will throw an unauthorized exception when not configured correctly.

Resolving the issue

  • Make sure IIS is configured to use Anonymous and Forms authentication.
  • Click 'Authorization Rules' and click 'Add Allow Rule…'. Select 'All users'.

This will add the following configuration to your web.config (you can just add this to your config file if you are a pro ;)):

<system.webServer>
  <security>
    <authorization>
	  <add accessType="Allow" users="*" />
   	</authorization>
  </security>
</system.webServer>`

All the configuration you normally do (forms, location.path, etc) can be resumed at this point.

Side-note: Microsoft adds a default URL Authorization rule to allow access to anonymous users on the root level of the machine. It should be noted that if the server administrators- in all their might and wisdom- do not remove this default rule, this problem shouldn't occur to begin with.

Newer Articles
Older Articles