Basic Authentication with ASP.Net Web Services on IIS7.5 in Classic Mode

Question

I have implemented web service with Basic Authentication with .Net 4. To implement basic authentication I have implemented HttpModule. When I call my web service via Internet Explorer, it prompts for Username password, I enter valid username/password and it works perfectly fine.

However when I deploy me web service on Dev Environment and call my service in internet explorer. That gives me user prompt; I enter valid username/password but it keeps prompting me username/password, eventually after three tries I get Error message 401.2 - access is denied.

My Authentication settings are:

 Anonymous Access Enabled
 Basic Authentication Disabled
 Windows Authentication Disabled

In my HttpModule every time User is authenticated, I log if authentication was successful. And I can see in log file, all three times authentication was successful. But it still error out. :(

By the way If I run web services in Integrated mode, it works fine. Unfortunately my requirement is to run web services in Classic mode.

Environment Details: OS: Windows Server 2008 R2, IIS: 7.5 Classic mode

I am stuck with this from last 4 days. Please help!

Answer 1

I'm guessing that you have identity impersonation turned on and anonymous turned on which is causing your ASP.Net application to execute as the "IUSER_" account. The "IUSER_" account does not have access to a specific resource you are trying to access (could be API call, file, bla, bla).

If you do have identity impersonation turned off and you have anonymous turned on then your ASP.Net code should be running as the application pool account. Which means that account does not have access to a specific resource you are trying to access (bla, bla, bla).

Here is an old skool MSDN article that discusses IIS and ASP.Net security. Like I mentioned it is old, but the concepts still ring true.

Answer 2

Call me crazy, but wouldn't you have to have Basic Authentication Enabled to be authenticating anyone successfully?