Technical: Microsoft – IIS – IIS Configuration Manager – Error Message – Error message 401.2.: Unauthorized: Logon failed due to server configuration


A couple of weeks ago, we experienced problems provisioning a Third party application on one of our corporate web servers.

Though, I did not come up with solution, I think it still merits sharing.



The problem is IIS Configuration in nature and so for the sake of simplicity let us write a basic ASP.Net Hello World application.



Code – Simple Hello World ASPX (C#)

Here is a simple Hello World ASPX application written in C#.

I used John Peterson’s posting – Writing Your First ASP.NET Page — as my jump-off.


<%@ Page Language="C#" %>
<script runat="server">

    protected void Page_Load(Object Sender, EventArgs E)
	    String strMessage;
	    DateTime objNow = DateTime.Now;
	    String strDayofWeek = objNow.ToString("dddd");
	    String strTime = objNow.ToString("t");
	    String strDay = objNow.ToString("D"); 
	    strMessage = strTime + "  " + " on " + " " 
                                + strDay;
	    HelloWorld.Text = "Hello World! " + "<BR>" 
				+ "It is " 
				+ "<i>"
				+ strMessage
				+ "</i>"						;
	   String strUsr ;
           strUsr = HttpContext.Current.Request.LogonUserIdentity.Name;
	   HelloYou.Text = "I have your name as " 
					+ "<i>"
					+ strUsr 
	  			        + "</i>"													;
<title>ASP.NET Hello World</title>
<body bgcolor="#FFFFFF">
<p><asp:label id="HelloWorld" runat="server" /></p>

<p><asp:label id="HelloYou" runat="server" /></p>





So everything is good.


IIS Configuration – .Net Authorization Rules

But, nothing is straightforward when machines are built and tightened to Corporate Standards set by well paid Security Professionals.

This appears to be part of the security hardening:


It seems that by default “all users are denied.”.

And, so a schmuck / mugu like me comes along and tries to make quick work of installing this Application.

But, I am stuck at having to authenticate.

The prompt and error screens are pasted below.

Authentication Required




Authentication Required


Access is denied.

Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server’s administrator for additional assistance.





To correct remove the denial rule outright or restrict it to specific verbs.


Full Denial

Here is our Deny applied to all Users and Verbs.





Denial – Specific Verbs

HTTP Verbs list has been increasingly quite a bit.

Here are the ones currently supported by Windows.

HTTP Verb Enumeration

Here is us choosing to filter out Put/Delete/Move/Copy verbs.




When you get IIS Authentication & privilege errors, you occasionally have to check a few places and find silent hardening rules.

Or better still, engage the Subject Matter Experts (SME) within your organization and see if they have documents on IIS base-lining & error correction.










Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s