We have sub webpage (classic ASP) set up with Windows Authentication and no anonymous access.
Permissions to the target directory are set as Read/Execute for a domain local group. This group comprises of members of another domain to which we have a trust relationship. Let's call it GroupA
Permissions are also set for the IT group of our domain, of which I'm a member (GroupIT).
All works fine, until something happens overnight…
Each morning the GroupA members cannot access the site, being challenged for a login/password. Entering their credentials here (with domain qualifier) does not work. GroupIT access works fine.
Webserver logs show "401 5" errors. Event viewer Security logs show the users authenticating successfully to the server.
IIS is not completing the authentication process. It looks as if the permissions for GroupA on the target folder are dropped. They are of course still visible though.
A restart of IIS sorts the problem until next morning.
Have spent a lot of time trying to get to the bottom of this, including using MS Auth Diagnostics, which confirms an Authentication (401) problem when I probe a login using a GroupA user's credentials. There is no task running on webserver or our domain that would obviously cause this. I don't think it's a case of cached credentials, as I have added new users to GroupA and found they could not access the site either.
I would greatly appreciate any thoughts..
Best Answer
Thoughts:
Does recycling the Application Pool that contains the authenticated page fix the problem?
Can the app containing the page be isolated into its own App Pool?
If either fixes the issue, you might be able to work around it (in lieu of actually fixing it) by setting a sheduled recycle for that app pool, for (say) 5am each day.
After 5am, the first request coming in will spin up a new App Pool and worker process, and if that's what's fixing it, it'll make it transparent to the users.
There's not enough information about the application or app pool - and what other applications, ISAPI filters, etc it's using - to be more accurate than that.