Windows – Pass through Windows authentication on a .NET app – is read access required for website folder


I am trying to get pass-through Windows authentication working for a .NET app.

It is running in classic mode on IIS7, and under the Authentication settings in IIS I have Windows Authentication enabled and everything else disabled (including Anonymous Authentication).

To get started, in the web.config I simply have:

<authentication mode="Windows" />
    <allow users="*" />

As I understand it, this means that the website process should be running as the app pool's identity. Users log on using their Windows identity.

What I am finding though is that only users with read access to the website folder are allowed to access the website. Why is this? I thought that because the process is using the app pool's identity it should not matter what credentials the user has.

Am I doing something wrong or misunderstanding something?

Best Answer

Any code running in the application pool will run using that identity and not the authenticated user's, but the IIS server will use the passed through authentication to verify that the user actually has access to the files served from the directory and to set ownership on new files created by that user.

Any back-end database access through e.g. .net code would happen under the app pool though.