deployed web application returns - 401 unauthorized

Question

I deployed my web application created with visual studio 2010 to a remote server with IIS 6.0 windows 2003.

When trying to browse to the site, it returns the default heading and in the page body the error:

The Request Failed with HTTP status 401: Unauthorized

Now I am logged in as administrator and have set the permissions and directory security accordingly.

I tried checking both with and without anonymous access and on both occasions received same error.

It runs fine on my local development environment and the scope of the application is to view a report which it returns using report-viewer as the page loads.

Does anyone think this has to do with access to the report server which is a different server or local access to the site on the production / hosting server?

I use a different password for the hosting/ production server than I do for my development machine and reporting server but it should include anyone in the domain group I set.

Answer 1

This is an old question, but this error suddenly started appearing on our in-house apps yesterday, following a Microsoft Security patch.

The reason was that we had some websites running on IIS, with their App Pools set to run under the NetworkService account. Prior to yesterday, no problem, they all worked fine. But after the patch, nearly all of our users were getting "401 Unauthorized" errors.

There are three solutions to this:

• change the website to run under a "real" user's account, and make sure that that user does have permissions to read the files in that site's IIS folder. In other words, right-click on that folder, select the Security tab, and add permissions for that user.
• change the permissions on the website's folder, and make sure YOURCOMPUTERNAME\Users has permission to access this folder. Yes, this is an actual account, and we suspect the Microsoft patch actually removed these permissions.
• leave the website's App Pool set as NetworkService, but, again, make sure whichever users will be using that website do have permissions to read the files in that site's IIS folder. So, we had an Active Directory group, containing the users who'd be using this website, so we added this AD group to the folder's Security tab, and made sure they could access the files.

Again, it's odd that our websites worked beautifully prior to this patch.

And, just in case anyone else hits this issue in 2017, I also had to add one line of C# code to use "UseDefaultCredentials" in my function to call a web service. Again, prior to the Microsoft patch, this line didn't exist, and it worked fine. But after the patch, we'd get 401 errors, until I added this line.

public string CallWebService(string URL)
{
    HttpWebRequest objRequest = (HttpWebRequest)WebRequest.Create(URL);
    objRequest.Method = "GET";
    objRequest.KeepAlive = false;
    objRequest.UseDefaultCredentials = true;

    HttpWebResponse objResponse = (HttpWebResponse)objRequest.GetResponse();
    string result = "";
    using (StreamReader sr = new StreamReader(objResponse.GetResponseStream()))
    {
        result = sr.ReadToEnd();
        sr.Close();
    }
    return result;
}

Hope this helps.

Answer 2

I'm wondering if when you allow anonymous access, are you specifying a user that gets used in that case? If so, does that user have access to read/execute on the web application files? If you did not specify a user, you should have a user called "IIS_USR" defaulted (I think that's Windows Server 2003). You need to make sure that this user has access to read/write on your application directory.

Answer 3

Almost definitely an NTFS filesystem security issue, you need to add IUSR_<your machine name> and ASPNET (ASP.NET Machine user account) with read and execute rights for the folder your site/application is in.