401.2 Error Windows Authentication

Question

I have an intranet site deployed to IIS in Windows Server 2008r2.

I would like to use AD authentication. Currently, the site is only running on my development VM which is NOT joined to the a domain.

Within InetMgr I have set "Anonymous Authentication" to "Disabled" and "Windows Authentication" to "Enabled" at both the "Default Web Site" level and the application into which my website is deployed. Enabled Providers are set as Negotiate and NTLM.

I have configured the site to run in an application pool for which I have allocated to run under the local account "scv.BizTalk". This account has full access to the local folder that contains the website.

On browsing to the site, I am challenged for credentials and the receive a 401.2 error.

In the event log I see the following:

Event code: 4007 Event message: URL authorization failed for the request. Event time: 18/12/2015 14:58:42 Event time (UTC): 18/12/2015 14:58:42 Event ID: fdcfe3ec19ef498ca0c0d66ffca3e961 Event sequence: 2 Event occurrence: 1 Event detail code: 0 Application information: Application domain: /LM/W3SVC/1/ROOT/EsbPortal-1-130949242820806218 Trust level: Full Application Virtual Path: /EsbPortal Application Path: C:\BizTalkersTFS\TVS\TVS.ESB.BamPortal\TVS.ESB.BamPortal.Website\ Machine name: TVS-QAN0CEQNRJC Process information: Process ID: 15256 Process name: w3wp.exe Account name: TVS-QAN0CEQNRJC\svc.biztalk Request information: Request URL: http://localhost/EsbPortal Request path: /EsbPortal User host address: ::1 User: TVS-QAN0CEQNRJC\Administrator Is authenticated: True Authentication Type: Negotiate Thread account name: TVS-QAN0CEQNRJC\svc.biztalk Custom event details: 

In the IIS log I see the following:

2015-12-18 14:58:03 ::1 GET /EsbPortal - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36 401 0 0 2045 2015-12-18 14:58:42 ::1 GET /EsbPortal - 80 TVS-QAN0CEQNRJC\Administrator ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36 401 0 0 16 2015-12-18 15:02:28 ::1 GET /favicon.ico - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36 404 0 2 214 2015-12-18 15:02:29 ::1 GET /EsbPortal - 80 - ::1 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/47.0.2526.106+Safari/537.36 401 0 0 408 

Could anyone please advise what I've missed in my configuration? Perhaps the fact that my dev VM is not joined to a domain is causing the problem but I don't think this should be the case. I think the client should be able to authenticate using a local account?

Answer 1

From this doc you are right it shouldn't matter that you are not on the domain.

https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication

The element defines configuration settings for the Internet Information Services (IIS) 7 Windows authentication module. You can use Windows authentication when your IIS 7 server runs on a corporate network that is using Microsoft Active Directory service domain identities or other Windows accounts to identify users. Because of this, you can use Windows authentication whether or not your server is a member of an Active Directory domain.

Did you assign the local administrator or which ever account you are trying to connect with to the permissions for the site(s)? In IIS select the site -> Authorization Rules. Specify who and what type of access.