IIS (2012R2) Simple Basic Authentication on a Folder

Posted on 2015-01-24
Medium Priority
Last Modified: 2015-06-02
We recently transitioned from a 2003 to a 2012R2 IIS box and I'm at a loss with regards to not getting Basic Authentication to work to protect a simple folder.

Previously we forced a URL to HTTPS with a rewrite for a given folder, set the folder to Basic Authentication, set the Domain the domain the server was in and set the realm to '/'.  That was it, pretty simple.

IIS 8 seems even more simple on this front, set Require SSL, Disable Anonymous and Enable Basic at the folder.  Same Domain and Realm settings.  However, when the folder is accessed from a browser (IE, FF, C) it immediately gives a 401.2 error without prompting for user ID/PWD.

Most searches are turning up complex issues regarding asp/.net apps and issues between application pool identities.  I must be leaving out something pretty simple, but not figuring it out.  I do have .php files we would like to use, but the same effect occurs with regards to a simple html or pdf file... all view just fine if anonymous is turned back on.

What am I missing?... and is there a good article/whitepaper that someone can direct me to that details it as the TechNet and MS KB's I've finding from IIS 7 - IIS 8 do not go into any further detail than what I've figured on my own.
Question by:jiriki
  • 7
  • 3
LVL 12

Expert Comment

ID: 40568896
please check allow/deny configuration in authorization. also verify that you don't have cached username/pass in client using network password management,
did you enabled integerated authintication?

Author Comment

ID: 40572068
Thanks for replying.  I've cleared browser cache both via utility and manually.  I have storing form and passwords turned off across all 3 browsers (IE, FF, C).  In i.e. the website is not in trusted or local list and the IE Option Logon is set to Automatic only if in Intranet zone (default), but same results if I set to Prompt.  Have tried from multiple clients, all of which produce the same result so I'm fairly confident it is server config.

I've not touched Authorization Rules for the folder which are inherited from the sites: Allow | All Users

Can you go into details regarding 'enabling Integrated authentication' ?  The only Auth protocols I have installed are the defaults (Anonymous | ASP.NET impersonation | Basic Auth | Windows Auth... with the only one enabled being Basic Auth).  So if you mean Windows Authentication ~ to integrated, then no I do not and I do not want that (at least I don't think so.  In IIS6 there was issues with multi-domain forests and Windows Auth so that users from another domain could not auth.   Whether this was a limitation of Windows Auth in II6 or how our Forest was setup... we have 5 sub-domains... I don't know as I am not privileged for that info nor able to get any change on that front, but I do know that Basic Auth in IIS6 functioned fine for us cross domain. ).

I've checked the applicationHost.config and it is registering the proper settings for that location:
<location path ="sitename/folder">
          <access sslFlags="Ssl" />
                <anonymousAuthentication enabled="false" />
                <basicAuthentication enabled="true" realm=""    defaultLogonDomain="" />
                <windowsAuthentication enabled ="false" />

Open in new window

... I've tried setting realm to "/" and domain of which this system is a Member Server of, but my understanding is that leaving them blank does basically the same thing.  I've tried copying these same settings to the web.config file in the folder, with no change in symptoms.

Author Comment

ID: 40572079
... update with regards to "Integrated Authentication", if you were meaning the IE Advanced setting "Security | Enable Integrated Windows Authentication", then yes, this was check on all systems tested from.  However, unchecking this and restarting the computer (edited from orig. saying IE, but setting requires Windows restart) still produces the same result.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

LVL 12

Expert Comment

ID: 40572251
I've not tested if BasicAuthintication options are shown when you did not add it to server role
please verify the server roles
please check this


Author Comment

ID: 40581140
Yes, basic authentication is installed.  Under the security section I have Request Filtering, Basic Authentication, IP and Domain Restrictions, URL Authorization and Windows Authentication Installed.
LVL 12

Expert Comment

ID: 40581194
did you try to temporarily enable NTFS access for everyone on the folder

Author Comment

ID: 40581217
Well, I'm at a complete loss.  I created a completely new site with the same config... base root allowing non-ssl and anonymous with a subfolder set to force SSL, disallow Anonymous and enable Basic configuration and it is functioning as I think it should be (with prompt and all).  I've spent almost 2 hours scouring folder ACL rights, IIS config entries and .config file entries and I cannot discover the reasoning behind the failure under the original site.

It has got to be something simple I'm missing... possibly a corruption of one of the .config file entries that I'm just not picking up on... but its obviously isolated to a specific site.

Author Comment

ID: 40718518
Not actual answer, but isolated as a system/config specific problem.

Assisted Solution

jiriki earned 0 total points
ID: 40809268
Strangely enough, I've isolated the problem down to custom error pages that were enabled for the site.  So at the root of the site I have various custom error pages.  401.2 and 401 had to be removed (leaving one or the other was not enough).  After removing the custom error pages for those specific errors, I am prompted properly for the username and password.  So it was indeed a site specific configuration issue.

Why this is the case I have no idea.  Will have to look into this.

Accepted Solution

jiriki earned 0 total points
ID: 40809361
OK, a little more digging.  For some reason (my ignorance) the 'ExecuteURL' type option for custom errors does not process the error code as you would think... not only does the client get the wrong code (i.e. 401.2 and 401.1 does not go back), but how IIS handles it is different... I just can't determine the what and why.

Changing the custom error to type of 'File' resolves the issue, however your custom error pages do not resolve (you get the generic white page with generic "You do not have permission to view this directory or page"... even with show friendly http errors option unchecked in IE.  If you change your file path to an absolute path... (i.e. c:\myroot\blah\ from /blah/) you get a generic error "The page cannot be displayed".

After a bit of more scrounging around, I found that even though the default file location is an absolute path (%SystemDrive%\inetpub\custerr\<LANGUAGE-TAG>\...) a custom absolute path will NOT work by default.  You have to enable the option allowAbsolutePathsWhenDelegated option for the site.  To do this you have to go into the sites main home screen in the IIS manager, click Configuration Editor, select system.webServer/httpErrors in the Section dropdown, then change the From <sitename> Web.config to ApplicationHost.config <location path='<sitename>' />... (I assume you could probably manually edit the ApplicationHost.config file itself, but but this works).  THen change the above attribute to True.

Once you do this, you can change the custom error type to File and use an absolute path.   Now, why can't I use a relative path is beyond me.   You can put the customer_err.htm file in the root of the site and then in the File location field just put the file name, it will work ... i.e. a limited relative path if it is on the root of the site, but who wants to clutter the root of their site with custom error pages vs having in a sub folder or folder outside of the site tree?

Anyway, after doing all this, I seem to get the results that I was originally looking for.  Just frustrating about all the little tidbits that are undocumented.

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question