Last post Apr 03, 2013 09:06 AM by JimS-Indy
Mar 26, 2013 11:44 AM|JimS-Indy|LINK
I've deployed (Using VS2010 publish) my new website to a LAN server over which I have admin control. I am able to access the site, and everything works fine until I ask a user to access the site.
They get an HTTP:400 error...
Users (in the same AD group as me and the server...) are served the default IIS page when they simply go to
http://Servername/. The site's address is
http://Servername/Timesheets. That's the address I use when I test it after publishing it. I've tried a dozen things (well, it seems like a dozen):
Here's my relevant Web.config entries:
<compilation debug="true" targetFramework="4.0">
And the "log" I found (though I think it's ASP.NET that's rejecting the access...
#Software: Microsoft Internet Information Services 7.0
#Date: 2013-03-26 13:54:33
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2013-03-26 13:54:33 10.110.31.80 GET /Timesheets/default.aspx - 80 - 10.110.10.88 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+MTI;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET+CLR+1.1.4322;+.NET4.0C;+.NET4.0E;+InfoPath.2;+MS-RTC+LM+8;+MTI) 401 2 5 12785
2013-03-26 14:03:13 10.110.31.80 GET /Timesheets/default.aspx - 80 - 10.110.10.88 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+MTI;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET+CLR+1.1.4322;+.NET4.0C;+.NET4.0E;+InfoPath.2;+MS-RTC+LM+8;+MTI) 401 2 5 676
Can anyone help diagnose this issue?
Mar 26, 2013 03:01 PM|JimS-Indy|LINK
OK, I removed all the references to window authentication from my web.config file and now my users get to the site, and are immediately rejected by my code. I need to understand why they are anonymous and I (and some others) are not.... Is that a browser
setting or an AD setting? Anyone?
Apr 03, 2013 05:06 AM|Angie xu - MSFT|LINK
I need to understand why they are anonymous and I (and some others) are not...
In default situation, un-authorized users are anonymous, you could learn more about this from asp.net authorization below,
ASP.NET Authorization(http://msdn.microsoft.com/en-us/library/wce3kxhd%28v=vs.100%29.aspx )
Setting authorization rules for
a particular page or folder in web.config
With kind regards
Apr 03, 2013 05:16 AM|necro_mancer|LINK
To better test your site, I certainly hope you can try to deploy it to a non-AD server first and check whether it works or not. Usually, if you use VS2010 to deploy it, it will work instantly. You do not need to set any authorization as the default, anonymous
user should be able to access your site.
If you can get this to work, this will narrow down the issue with your AD server. Probably, there is some security settings that you need to set in order to get your site to work
Hope this helps! :)
Apr 03, 2013 09:06 AM|JimS-Indy|LINK
Thank you both for your contributions. The IT guy at my client site did some research (and since he has multiple AD accounts available to him and I don't...) and was able to track down the problem. I don't have the kb article link at the moment, but basically,
there's an HTTP setting that limits the largest HTTP authentication token the server can handle. That has been set since 2003, and the default hasn't changed. At my client site, they are crazy about assigning folks to groups, basically allowing users to create
their own, so a given user (not me, apparently...) can be a member of many, many groups. When this number grows too large, the HTTP authentication token provided by IE is too large for the server to handle, so the server discards it and passes anonymous authentication
to IIS. The reason it happened to some and not others is the count of AD groups in which a given user is a member.
Not very intuitive, but not the problem is solved. Thank you for your contributions.