Pass-through authentication not working. IIS 7

Question

On IIS 7 I set up an application called "XYZ", and an application pool for it.

I set the identity of this application pool to a custom user, let's call it "Mario".

Mario has NTFS access to the folder/files in which XYZ points to (remote share).

In the XYZ authentication settings, only windows authentication is enabled:

In the providers for windows authentication, only NTLM is active:

Physical path credentials for XYZ are set to application user / pass-through:

So the problem is, when I go to http://server.com/XYZ I get challenged (which is to be expected), but I does not matter what I put in, it looks like the authentication token is not accepted, and the browser challenges me again.

I have looked at logs for Active Directory and the requests are coming through, but even when the user is successfully authenticated the browser challenges again.

HERE'S THE GOAL: to allow directory listing, but to use credentials provided by the user for NTFS access. Right now I can't get that to work. THANK YOU!

Here's the Web.config file:

Answer 1

The trick to getting this to work is to add 'Users' to the permissions. Set up IIS just like you have with NTLM as the top provider, Windows Authentication only enabled (you can get rid of the section in the web.config, all you need is <authentication="Windows" />) and add IIS_USRS and Users to the permission set.

Answer 2

In addition to the existing answer, if you don't want to have the user challenged, IE security must be setup correctly in the user's browser for the target zone. In my case I wanted my local dev system to login without being challenged (automatic pass-through). The setting is in Internet Options->Security tab->Custom level..., at the bottom (make sure you selected the correct zone). My trusted sites zone was defaulted to Automatic logon only in Intranet zone. I changed it to Automatic logon with current user name and password for my trusted sites zone, and made sure my local machine name was in the trusted sites list (I use the local machine [pc] name instead of localhost in special cases).