IIS - 401.3 - Unauthorized

Question

I am trying to get started with using IIS. I created a new site on IIS Manager, mapped it to a folder on my file system and added index.html to the folder. I have set the po

Answer 1

Here is what worked for me.

1. Set the app pool identity to an account that can be assigned permissions to a folder.
2. Ensure the source directory and all related files have been granted read rights to the files to the account assigned to the app pool identity property
3. In IIS, at the server root node, set anonymous user to inherit from app pool identity. (This was the part I struggled with)

To set the server anonymous to inherit from the app pool identity do the following..

• Open IIS Manager (inetmgr)
• In the left-hand pane select the root node (server host name)
• In the middle pane open the 'Authentication' applet
• Highlight 'Anonymous Authentication'
• In the right-hand pane select 'Edit...' (a dialog box should open)
• select 'Application pool identity'

Answer 2

If you are working with Application Pool authentication (instead of IUSR), which you should, then this list of checks by Jean Sun is the very best I could find to deal with 401 errors in IIS:

---

Open IIS Manager, navigate to your website or application folder where the site is deployed to.

1. Open Advanced Settings (it's on the right hand Actions pane).
2. Note down the Application Pool name then close this window
3. Double click on the Authentication icon to open the authentication settings
4. Disable Windows Authentication
5. Right click on Anonymous Authentication and click Edit
6. Choose the Application pool identity radio button the click OK
7. Select the Application Pools node from IIS manager tree on left and select the Application Pool name you noted down in step 3
8. Right click and select Advanced Settings
9. Expand the Process Model settings and choose ApplicationPoolIdentityfrom the "Built-in account" drop down list then click OK.
10. Click OK again to save and dismiss the Application Pool advanced settings page
11. Open an Administrator command line (right click on the CMD icon and select "Run As Administrator". It'll be somewhere on your start menu, probably under Accessories.

12. Run the following command:

    icacls <path_to_site> /grant "IIS APPPOOL\<app_pool_name>"(CI)(OI)(M)
    

    For example:

    icacls C:\inetpub\wwwroot\mysite\ /grant "IIS APPPOOL\DEFAULTAPPPOOL":(CI)(OI)(M)
    

---

Especially steps 5. & 6. are often overlooked and rarely mentioned on the web.

Answer 3

Since you're dealing with static content...

On the folder that acts as the root of your website- if you right click > properties > security, does "Users" show up in the list? if not click "Add..." and type it in, be sure to click "Apply" when you're done.

Answer 4

TL;DR;

In most cases, granting access to the following account(s) (one|both) will be enough:

1. IIS AppPool\DefaultAppPool
2. IUSR

with Access Rights:

1. Read & Execute
2. List folder contents
3. Read

That's it!

Read on for a more detailed explanation...

---

1. Open IIS and select your application.
2. On the right side click on Authentication.
3. Select "Anonymous authentication" here.
4. The following dialog pops up.

Grant access to the web application folder's ACL depending what is selected in the pic above:

• Specific user: grant access for both IUSR (in my case) + IIS AppPool\DefaultAppPool
• Application pool identity: grant access for IIS AppPool\DefaultAppPool only

IIS AppPool\DefaultAppPool account is the default AppPool account for new IIS web applications, if you have set a custom account, use the custom one.

---

Give the following permissions to the account(s):

1. Read & Execute
2. List folder contents
3. Read