BAD IMPERSONATION in IIS Express with Basic Auth for all static requests

2

We are attempting to use Basic Authentication in a project, which generally works fine in our integration and QA environment or even running locally with IIS 7.5. But running locally in IIS Express we get some very strange issues -- any static requests result in cryptic HTTP 500 errors telling us that there was an error accessing that resource, perhaps for a number of permissions related reasons, with an error code of 0x80070542. At the same time, anything rendered in ASP.NET comes out perfect.

Cursory searches indicate that the issue typically stems from IIS' account not being able to access these resources. This was run down and IUSERs definitely can access the resources -- in fact, the exact same folder works perfectly in IIS 7.5; only IIS Express barfs. And only when we enable basic authentication -- if we enable windows authentication all requests pass perfectly.

We finally tried running sysinternals procmon in an effort to figure out if we were looking at the correct user and if it was something else that was failing and we found that things were failing with a result of BAD IMPERSONATION. But trying to figure out who is impersonating what has been fruitless. From what we can tell, the IUSER / NETWORK SERVICE / default accounts do have appropriate levels of access, given things work with IIS in production mode and any sort of access test passes. The accounts running IIS express are all local admins and should have access to impersonation. Manually adding that right in local security policy has made no difference. I just can't see a way to fix this short of explicitly defining an impersonation user which I really shouldn't need to do.

So, is there a correct way to make IIS Express work with basic auth and static requests?

asp.net-mvc
impersonation
iis-express
windows-security
asked on Stack Overflow Feb 6, 2012 by Wyatt Barnett • edited Feb 6, 2012 by Wyatt Barnett

2 Answers

0

IIS Express runs as current logged on user and does not do impersonation. Probably just for testing, could you try adding current logged on user account to IIS IUser group and see if that does any trick.

answered on Stack Overflow Feb 7, 2012 by vikomall
0

I finally got updated on good authority that something deep within basic auth is/was broken in IIS Express 8 and this was a known bug that would not be addressed in that version but might be addressed in a future version.

We've already got development configs so we are just using windows auth for local development since that doesn't change anything for our apps and we've already got independent development configurations but that might not work in all cases.

answered on Stack Overflow Oct 21, 2015 by Wyatt Barnett

User contributions licensed under CC BY-SA 3.0