ASP.Net Web Forms App does not authenticate on server with Windows Authentication - fails impersonate

Question

I am running an ASP.NET (VB) 4.6.1 Web Forms application. I am using Windows Authentication ( <authentication mode="Windows" /> ).
The scenario is to allow any authenticated Windows user to the landing page. Any user in the “Check Admins” active directory security group should get access to any of the pages in the Admin sub-folder.

The root web.config has:

<authorization>
  <deny users="?" />
</authorization>

The Admin web.config has:

  <authorization>
    <allow roles="domain\Check Admins" />        
    <deny users="*" />
  </authorization>

On the landing page, I enumerate through all the roles the user has with:

test &= "<br/><h3>You have the following roles:</h3>"
For Each r In Roles.GetRolesForUser()
    test &= r & "<br/>"
Next

I’ve gone through several setting and web.config changes (most outlined below). I can get it to work as expected on my dev PC but cannot get it to work when deployed to the test server running Windows 2008 R2 and IIS 7.5. I can get the site to come up some times, but only if I go to http://localhost. It doesn’t come up when I use the fully qualified name: http:// test.mysite.net

Here are the changes & settings I’ve tried:

When running without impersonation:

Dev Machine:

• User.Identity.Name: domain\me
• Principal.WindowsIdentity.GetCurrent.Name: domain\me
• Landingpage: Runs
• Admin page: Runs
• Enumerated roles: All for me except admin roles

All works as expected.

When deployed to the server with IIS Settings

IIS 7.5 Server (http://localhost):

• User.Identity.Name: domain\me
• Principal.WindowsIdentity.GetCurrent.Name: IIS APPPOOL\Test.mysite.net
• Landing page: Runs
• Admin page: Runs
• Enumerated roles: Shows roles (presumably) for IIS APPPOOL\Test.mysite.net

IIS 7.5 Server (FQDN: http:// Test.mysite.net): Never-ending security challenge

Changing IIS Settings on the server

Both server sites return HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

Adding <identity impersonate="true"/> on dev machine:

HTTP Error 500.24 - Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

Most likely causes: • system.web/identity@impersonate is set to true.

Adding

  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
  </system.webServer>

with the impersonate above gives:

Dev Machine: (Same as first run)

• User.Identity.Name: domain\me
• Principal.WindowsIdentity.GetCurrent.Name: domain\me
• Landing page: Runs
• Admin page: Runs
• Enumerated roles: All for me except admin roles

IIS 7.5 Server (localhost):

• User.Identity.Name: domain\me
• Principal.WindowsIdentity.GetCurrent.Name: domain\me
• Landing page: Runs
• Admin page: Never-ending security challenge
• Enumerated roles: Shows roles (presumably) for IIS APPPOOL\Test.mysite.net

IIS 7.5 Server (FQDN: http:// Test.mysite.net): Never-ending security challenge

I’ve spent several hours combing through the posts here and elsewhere on Google. I don’t know if this is a .Net 4.5+ thing or if I just missed something. How can I get it to properly read the roles and authenticate to the folders?

And why when I try to get to the page using the full URL does it completely fail authentication?

Answer 1

For 90% of this, it turns out the Active Directory server had an expired certificate, so refused to authenticate requests from the web server. Strangely, it did authenticate all the users signing in to the Windows accounts on the PC's. I'm posting this in case anyone else comes across a similar problem. Though, I still can't figure out why on the server itself, navigating to the full URL still does not authenticate, but going to Localhost works just fine.