HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.

We just moved from a Windows Server 2003 to a Windows Server 2012.   Whenever we try to access any of the websites in IIS with the the error

HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.

I already made sure that anonymous authentication was enabled.   Windows Authentication is also available as an option, but it is disabled.

I gave the user IUSR full access to the folders where the webpage files are located in the server.

I also made sure that on the Authorization rules all users were allowed.

In the application pool, the Enable 32-bit Applications is set to True.

I'm thinking this is some kind of authentication error because if I enable Windows Authentication instead of Anonymous Authentication, I can see the website when I entered a valid username and password from one of the accounts in the server.  

Any help will be greatly appreciated.

Who is Participating?
Quick question can you tell me what method you used to migrate the websites
Yes this is due to the type of authentication you setup.

I am not sure the nature of your application but if your expectation is for anyone to access the site then you need anonymous:
From the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
Under the Tree pane, browse to the desired Web site.
Right-click the Web site, and then click Properties.
On the Directory Security tab, under Anonymous access and authentication control, click Edit.

Can you also check the configuration on the 2003 server for comparison.

See the following link for more detailed info:
mfsrulesAuthor Commented:
Thanks for the reply.  I already went through that article.  Anonymous authentication is already enabled.    The only difference now is that on the Windows Server 2003  Other than Anonymous Authentication, we had also enabled "Integrated Windows authentication"
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

So are you saying your site does not load when you select Anonymous auth ?

Take a look at the web.config for you app and see how it is configured

Also you might want to look into appcmd.exe unlock for a more advanced way of handling this.

appcmd unlock config /section:windowsAuthentication
appcmd set config "default web site" /section:windowsAuthentication /enabled:true

appcmd unlock config /section:anonymousAuthentication
appcmd set config "default web site" /section:anonymousAuthentication /enabled:true
mfsrulesAuthor Commented:

That is correct.  That is what makes it so confusing.   Here's the contents of the web.config file

<?xml version="1.0" encoding="UTF-8"?>
        <staticContent enableDocFooter="false" />
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" users="?" />
                <add path="*">
                        <add provider="WWW Server" areas="Authentication,Module" verbosity="Verbose" />
                    <failureDefinitions timeTaken="00:00:00" statusCodes="401.2" />
        <authentication mode="Windows" />
Try running the below:

appcmd unlock config /section:anonymousAuthentication
appcmd set config "" /section:anonymousAuthentication /enabled:true
appcmd unlock config "\Your App" /section:windowsAuthentication -commit:apphost
appcmd set config "\Your App" /section:windowsAuthentication -commit:apphost
iisrest /noforce

See if this resolves it for you.
mfsrulesAuthor Commented:
I ran the first two per your previous comment and no luck.

What is the section "Your App"
Can you test this, create a simple html page in the root directory of the app and try loading it anonymously.
mfsrulesAuthor Commented:
I created a basic HTML document and changed the settings on the Default document options  so that it would load first. (Also renamed the index.asp file just to make sure).

Still getting the same error 401.2 Unauthorized
okie so this sounds like possibly at the ntfs level.

Can you change permissions on the file to give Everyone Read permission and try again.
mfsrulesAuthor Commented:
I gave the users group permission for read, but no success
mfsrulesAuthor Commented:
Also gave the "Everyone" group permission for the index.html file.  No luck
Does anonymous access work on any other sites on this server ?
mfsrulesAuthor Commented:
No.  None of the websites work at all.  All of them give the same error.   I also tried givig "Everyone"  Read access to the C:\inetpub\wwwroot  folder.   No luck as well
mfsrulesAuthor Commented:
Copy and paste the website folders from the old server to the new server.   We dont run many websites so we just created the websites from scratch from the IIS Manager
Ok so let's hope you still have the 2003 / iis server online.
I am going to give you a link for migrating websites.

Let's use that method (there are several difference between iis6 & iis7 any of which could be the cause for the break here).

It would be easier to just do a migration.
It will take a few hours (mostly reviewing the process).

Though the link says 2008 (it should work for 2012)
mfsrulesAuthor Commented:
We do not mavy many websites, so we just deleted all of the websites from the IIS menu and re-added them.   Somewhere along the lines, my co-worker did something when he first imported the websites.   Now everything is working as it should be.  I guess I should have thought about about this before, but reminded me with the migration issues comments.  Thank you very much @becraig
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.