Subsites will inherit from the default website .. you can change it in the specific subsite..  I generally don't use subsites but create new sites

Because of the certificate/bindings, we can't create new sites.  For those apps with anonymous access applied, are you saying they will be affected by windows auth because default website has windows auth applied?

only if you select windows authentication after the subsites are created and disable anonymous it will traverse down as they share the same section of the web.config  You have to go to each website and alter the authentication settings.


http://screencast.com/t/XEuySpz4UN

I understand you can control authentication on sub-sites.  The reason I'm asking is because we're experiencing strange behavior with our site.

If you look at the screenshot in the first post, that is how IIS is configured.  We are working in a controlled environment and the client requires IWA enabled on default web site, for additional security.

However, when we access our application with anonymous access applied (web-services seen above in screenshot), every so often the user experiences a weird page refresh.  About 1 in 15 the issue occurs.  When we disable IWA on default web site, we can not recreate the issue.

We're digging through domain controller logs because no local events or IIS logs show an authentication problem.  We don't understand why a site with anon access enabled would face these kind of issues.

Are there any resources online or best practice which could help explain this scenario?

Hi,
I've proven the following scenario which is exactly what I need to understand:



From the Win7 PC when you access /web-services/ in your browser, you are prompted for creds.

Why?  I thought I could explicitly control authentication of sub-sites but this test case proves that default web site authentication takes precedence over sub-site authentication.

I already told you this and even have a video had you cared to look at it and also WHY and how to fix it.. it is in the web.config.. you can change 1 subsite's web config and then copy it over to the other subsites.

https://www.experts-exchange.com/questions/28468240/In-IIS-7-5-does-Windows-Authentication-applied-to-Default-Web-Site-affect-sub-nodes-where-Anonymous-Access-is-applied.html?anchorAnswerId=40181931#a40181931

David, I watched the video the day you posted.  Thanks.

I'm afraid you're missing my question/issue.  I would be repeating myself if I started over.  Bottom line, we must keep IWA enabled on default web site.  But it affects sub-sites that have anonymous access applied.  I know it can be changed, but the customer won't let us.  So there's a breakdown in AD/authentication somewhere.  I was hoping for an explanation or online resource about IWA applied on default website and sub-sites below with anon access.