IIS unexpectedly authenticates App Pool user with AuthenticationType = Negotiate

Question

I have a WebAPI application that expects to use Forms authenticaiton, or my own custom Basic or Digest authentication. It works fine on most servers. But on a few servers it does not work.

I have found that when the authentication fails it is because IIS has authenticated the App Pool user. Thread.CurrentPrincipal.Identity.AuthenticationType = "Negotiate". AFAIK this is windows authentication. However windows authentication has been disabled for the site in question, and I even went so far as uninstalling the windows authentication feature on the server and still experienced the same problem.

I have found that setting runAllManagedModulesForAllRequests to true will resolve this problem, though it is not a desirable work around as it adds overhead to all requests even those that run through the static handler.

If anyone can tell me why this is happening, or how to debug the authentication process on IIS it would be very helpful.

Edit: IIS7/7.5 Integrated Pipeline if it makes a difference

Answer 1

While experiencing the similar issue, here is my observation and suggestion.

The issue could be related to the Anonymous user account which is used as Anonymous user identity. The default setting could be the problem. Please, read here more details:

• IIS documentation
• IIS tips

Summary:

Using IIS 7.0 UI, go to Authentication page and select Anonymous Authentication. Then on the right click Edit and select the user to be used for this. If this (newly selected) user has access to all static files, all should start working. Selecting App Pool Identity will grant the access rights specified for current pool user account.

The default value is IUSR, which is more detailed described here:

Missing IUSR account on Windows Server 2008 R2 / IIS7.5