Troubleshooting IIS Authentication

While I was preparing a dummy website for my lab, I encounter a HTTP Error 401.3 - Unauthorized error. For some reason, I’ve never setup an IIS website from scratch, the only work I’ve done related to them is to troubleshoot up-and-running sites.

I’ve been using a bunch of tools from the SysInternals for a while now (mainly Process Explorer, Process monitor and Tcpview), few tools are as useful as this when there’s the need to troubleshoot somethig in Windows (talking specifically about third-party software). I believe I onced faced this issue when I was an intern, and a senior engineer helped me solving this. The thing is, that the procedure the engineer did was to add “likely” Windows/IIS accounts that could’ve been the root cause of this issue, I remember it took a bit of time doing this trial-and-error procedure.

Today when I saw this issue, I thought: Some IIS process must not be able to access the folder of my website. Process Monitor would be an excellent option to use here, as it tracks all the system activities that happen. So let’s get hands on work…

The procedure I follow is:

1. Open Procmon and let it run for a few seconds
2. Eliminate process names that - in my criteria - are only noise. In my case, these are the processes that I added an exception for

1. Start the capture again and then reproduce the issue.
2. Look for indicators that could tell the root cause of the issue. If needed repeat step 2.

From the book “Troubleshooting with the Windows Sysinternals Tools.pdf”, I know that I should be looking for an ACCESS DENIED value in the Result column.

When applying the filter, we can state with confidence that the root cause of this issue is:

Reading the third entry, there’s what seems to be a built-in account NT AUTHORITY\IUSR that the process w3wp.exe is attempting to read the contents of the folder C:\Users\Administrator\Documents\website

Investigating this account this MS article states the following:

This built-in account does not need a password and will be the default identity that is used when anonymous authentication is enabled.

In my case, this makes sense as I do have anonymousAuthentication set as true.

All this information that we have reviewed, indicates that we need to give NT AUTHORITY\IUSR reading permission to the folder C:\Users\Administrator\Documents\website. Once that’s done, we are now able to access