A couple of weeks ago, we experienced problems provisioning a Third party application on one of our corporate web servers.
Though, I did not come up with solution, I think it still merits sharing.
The problem is IIS Configuration in nature and so for the sake of simplicity let us write a basic ASP.Net Hello World application.
Code – Simple Hello World ASPX (C#)
Here is a simple Hello World ASPX application written in C#.
I used John Peterson’s posting – Writing Your First ASP.NET Page — http://www.codeguru.com/csharp/.net/net_asp/tutorials/article.php/c19305/Writing-Your-First-ASPNET-Page.htm as my jump-off.
So everything is good.
IIS Configuration – .Net Authorization Rules
But, nothing is straightforward when machines are built and tightened to Corporate Standards set by well paid Security Professionals.
This appears to be part of the security hardening:
It seems that by default “all users are denied.”.
And, so a schmuck / mugu like me comes along and tries to make quick work of installing this Application.
But, I am stuck at having to authenticate.
The prompt and error screens are pasted below.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server’s administrator for additional assistance.
To correct remove the denial rule outright or restrict it to specific verbs.
Here is our Deny applied to all Users and Verbs.
Denial – Specific Verbs
HTTP Verbs list has been increasingly quite a bit.
Here are the ones currently supported by Windows.
HTTP Verb Enumeration
Here is us choosing to filter out Put/Delete/Move/Copy verbs.
When you get IIS Authentication & privilege errors, you occasionally have to check a few places and find silent hardening rules.
Or better still, engage the Subject Matter Experts (SME) within your organization and see if they have documents on IIS base-lining & error correction.