问题
I need some help to understand what is the exactly reason I can'g get Windows Authentication working on IIS site for a specific user's group. What is happening is that even my user being part of the group which I gave access to the site, IE keeps prompting for my credentials and even when I type the password the HTTP response is 401 (Unauthorized). I'm also not allowed to change IE's settings to add any site to the trusted list (it's blocked by the company). In the other hand, besides the fact that it's blocked, the site domain is listed like (*.domain.com)
Follow bellow the scenario:
- Server: Windows Server 2012
- IIS: 8.5
- Users: DomainA\MySimpleAdUser, DomainB\ServiceAdUser
- Groups: DomainB\MYGROUP (AD Group which contains DomainA\MySimpleAdUser)
- IIS_IUSRS (Local Server group which contains DomainB\ServiceAdUser)
Pool Settings
- Name: PoolA
- Process Model > Identity > DomainB\ServiceAdUser
Settings on Server Level
ASP.NET > .NET Authorization
- Allow | Users: All Users | Entity type local
IIS > Authentication
- Anonymous Authentication disabled
- Windows Authentication Enabled
- Extended protection: Off
- Enable Kernel-mode authentication: Enabled
- Providers: Negotiate(1st) -> NTLM(2nd)
- IIS > Authorization Rules
- Allow | Roles: DomainB\MYGROUP | Entity type local
Settings on Site Level (which runs on a valid SSL certificate on 443 port, this is the only binding)
Pool: PoolA
ASP.NET > .NET Authorization
- Allow | Users: All Users | Entity type inherited
IIS > Authentication
- Anonymous Authentication disabled
- Windows Authentication Enabled
- Extended protection: Off
- Enable Kernel-mode authentication: Enabled
- Providers: Negotiate(1st) -> NTLM(2nd)
IIS > Authorization Rules
- Allow | Roles: DomainB\MYGROUP | Entity type inherited
Permissions on site root directory
- Full control permission to IIS_IUSRS
- Read&Execute, List and Read permissions to MYGROUP
Web.config
- This is the only configuration line that exists regarding authentication: <authentication mode="Windows" />
=============================
Observations
- I already tried to use my specific user to get access to the site, but stills prompt for the credentials
The only way to get the site up and running is when I allow anonymous access to it.
Please help me to figure out what is missing. I appreciate any help.
回答1:
There could be an issue with security loopback check. Please find below procedure to disable it.
- Click Start, click Run, type regedit, and then click OK.
- Backup the registry
- In Registry Editor, locate and then click the following registry key:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Right-click Lsa, point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- Quit Registry Editor, and then restart your computer.
回答2:
I've found that if the authenticated user is not able to read the folders for static content in your web app, it will authenticate you, then deny access. This can be solved by Granting local_Machine\Authenicated_Users access to the needed resources.
In my case, I added Authenticated_users to the IIS_IUSRS Group and it solved my problem. Be aware that this can also grant any authenticated user to all files and folders available to the IIS_IUSRs group. So be careful that these users cannot access the file system by any other means. A separate group granting NT AUTHORITY\Authenticated_Users just enough rights to read pngs, and static content is the best way to go.
Config: Windows Server 2012 R2 Running IIS 8.5, NET Framework 4.5, with static content enabled.
来源:https://stackoverflow.com/questions/45173852/iis-site-keeps-prompting-for-credentials-for-windows-authentication-method