locked
Users can't access my new ASP.Net site RRS feed

  • Question

  • User-1331061962 posted

    I've deployed (Using VS2010 publish) my new website to a LAN server over which I have admin control. I am able to access the site, and everything works fine until I ask a user to access the site. They get an HTTP:400 error...

    Users (in the same AD group as me and the server...) are served the default IIS page when they simply go to http://Servername/. The site's address is http://Servername/Timesheets. That's the address I use when I test it after publishing it. I've tried a dozen things (well, it seems like a dozen):

    • Tried http://Servername/Timesheets/default.aspx -- no joy (works for me...)
    • Tried making a user an admin on the server! -- no joy
    • Tried both "debug" and "Release" when publishing. -- no joy
    • Tried removing <deny users="?"/> from Web.config -- no joy
    • Tried to find log evidence -- found some logs, but can't decipher them -- no joy

    Here's my relevant Web.config entries:

        <authentication mode="Windows"/>
        <authorization>
          <deny users="?"/>
          <allow users="*"/>
        </authorization>
        <compilation debug="true" targetFramework="4.0">

    And the "log" I found (though I think it's ASP.NET that's rejecting the access...

    #Software: Microsoft Internet Information Services 7.0
    #Version: 1.0
    #Date: 2013-03-26 13:54:33
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2013-03-26 13:54:33 10.110.31.80 GET /Timesheets/default.aspx - 80 - 10.110.10.88 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+MTI;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET+CLR+1.1.4322;+.NET4.0C;+.NET4.0E;+InfoPath.2;+MS-RTC+LM+8;+MTI) 401 2 5 12785
    2013-03-26 14:03:13 10.110.31.80 GET /Timesheets/default.aspx - 80 - 10.110.10.88 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+MTI;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+.NET+CLR+1.1.4322;+.NET4.0C;+.NET4.0E;+InfoPath.2;+MS-RTC+LM+8;+MTI) 401 2 5 676
    

    Can anyone help diagnose this issue?

     

     

    Other ideas?

    Tuesday, March 26, 2013 11:44 AM

Answers

  • User-1331061962 posted

    Thank you both for your contributions. The IT guy at my client site did some research (and since he has multiple AD accounts available to him and I don't...) and was able to track down the problem. I don't have the kb article link at the moment, but basically, there's an HTTP setting that limits the largest HTTP authentication token the server can handle. That has been set since 2003, and the default hasn't changed. At my client site, they are crazy about assigning folks to groups, basically allowing users to create their own, so a given user (not me, apparently...) can be a member of many, many groups. When this number grows too large, the HTTP authentication token provided by IE is too large for the server to handle, so the server discards it and passes anonymous authentication to IIS. The reason it happened to some and not others is the count of AD groups in which a given user is a member. 

    Not very intuitive, but not the problem is solved. Thank you for your contributions.

    Jim

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 3, 2013 9:06 AM

All replies

  • User-1331061962 posted

    OK, I removed all the references to window authentication from my web.config file and now my users get to the site, and are immediately rejected by my code. I need to understand why they are anonymous and I (and some others) are not.... Is that a browser setting or an AD setting? Anyone?

    Tuesday, March 26, 2013 3:01 PM
  • User-166373564 posted

    Hi,

    I need to understand why they are anonymous and I (and some others) are not...

    In default situation, un-authorized users are  anonymous,  you could learn more about this from asp.net authorization below,

    ASP.NET Authorization(http://msdn.microsoft.com/en-us/library/wce3kxhd%28v=vs.100%29.aspx )

    Setting authorization rules for a particular page or folder in web.config

    With kind regards

    Wednesday, April 3, 2013 5:06 AM
  • User1196771204 posted

    Hi Jim,

    To better test your site, I certainly hope you can try to deploy it to a non-AD server first and check whether it works or not. Usually, if you use VS2010 to deploy it, it will work instantly. You do not need to set any authorization as the default, anonymous user should be able to access your site.

    If you can get this to work, this will narrow down the issue with your AD server. Probably, there is some security settings that you need to set in order to get your site to work

    Hope this helps! :)

    Wednesday, April 3, 2013 5:16 AM
  • User-1331061962 posted

    Thank you both for your contributions. The IT guy at my client site did some research (and since he has multiple AD accounts available to him and I don't...) and was able to track down the problem. I don't have the kb article link at the moment, but basically, there's an HTTP setting that limits the largest HTTP authentication token the server can handle. That has been set since 2003, and the default hasn't changed. At my client site, they are crazy about assigning folks to groups, basically allowing users to create their own, so a given user (not me, apparently...) can be a member of many, many groups. When this number grows too large, the HTTP authentication token provided by IE is too large for the server to handle, so the server discards it and passes anonymous authentication to IIS. The reason it happened to some and not others is the count of AD groups in which a given user is a member. 

    Not very intuitive, but not the problem is solved. Thank you for your contributions.

    Jim

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 3, 2013 9:06 AM