I'm trying to set up Windows authentication for a new website in IIS 7.5.
I have the Windows authentication module enabled for the site and all other authentication types(such as anonymous, Basic etc) disabled.
The App pool for the site runs under a custom identity for which the SPN and host headers have been set appropriately.
On trying to access any content(such as a text file) hosted under the site via the browser, I get a 401.2 error.
I followed this suggestion and added the useAppPoolCredentials attribute to the applicationHost.config and I'm able to access the resource using Windows auth.
I then removed the attribute and saved applicationHost.config again effectively undoing my changes and I'm still able to access the resource.What gives?
Can some one help me understand this behavior?
Also in one particular installation of IIS 7.5 on Win server 2008R2 I have noticed that any changes to the default configuration of a site (or an application) causes IIS to generate a Web.config file automatically at the root of the site/application. Is there a setting to enable this instead of having to update applicationHost.config directly?
EDIT The browser was caching the response and hence undoing the changes ans saving the file seemed to make no difference. So the only question I have now is related to generation of the Web.config
Best Answer
With regard to your second question about how to ensure that configuration changes are persisted to a site's
web.configrather thanapplicationHost.config, this can be controlled via Feature Delegation.If you navigate to the machine node of IIS Manager you will see an icon named "Feature Delegation":
Launch this IIS "applet" and you will be presented with a list of features that can have their configuration delegated to
web.config.Settings that are marked Read/Write will usually have their settings written to the
web.configfile. Settings that are marked Read Only will usually have their settings written toapplicationHost.configand cannot be overridden in theweb.configfile.As it so happens the
<windowsAuthentication>configuration can be delegated to theweb.configfile.Minor Gotcha:
Not all of the applets surface the full range of settings you can configure. A good example of this as it so happens is the
<windowsAuthentication>useAppPoolCredentialsattribute. It's no-where to be seen in the Authentication applet, not even under Advanced Settings.However you can get at this value (and pretty much everything else) via the Configuration Editor. If you navigate to your web site's node in the left hand pane in IIS manager you will see this icon under Management:
If you launch the Configuration Editor you'll be presented with a dropdown list containing a tree of various settings:
If we select the
/system.webServer/security/authentication/windowsAuthenticationnode we are presented with the full spectrum of settings that can be changed. Here we can see the setting we're interested in (useAppPoolCredentials):You can choose whether to configure the values for the website in
web.configor inapplicationHost.configfrom the From: drop down list next to the config section tree drop down:If a section has not been delegated as Read/Write in the
web.configthen you'll see the following:We get an alert saying that this particular feature is locked, all of the settings are greyed out and disabled and there's a padlock indicating that child settings of this feature are also locked out.
Finally, not all settings can be delegated, for example site bindings, application pool, virtual directories.