We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

IIS 8.5 Windows AuthenticationRSS

6 replies

Last post Feb 13, 2019 08:14 AM by kmclean

  • IIS 8.5 Windows Authentication

    Feb 08, 2019 04:23 AM|kmclean|LINK

    Hi I have a dotnetcore 2.2 application I am trying to deploy to IIS 8.5
    It uses Windows Authentication

    My IIS settings are:

    Anonymous Authentication Disabled
    Basic Authentication Disabled
    Digest Authentication Disabled
    Windows Authentication Enabled

    Application Pool
    .NET LCR Version: No Managed Code
    Managed pipeline mode: Integrated
    Identity: ApplicationPoolIdentity
    Load User Profile: true

    When I run the app I get HTTP 500 Internal Server Error

    If I use the same settings above except:
    change Application Pool Identity to: Custom Account and
    enter my Windows credentials

    it works but I need it to pick up the Windows logged in user.

    web.config file:
    Configure your application settings in appsettings.json. Learn more at http://go.microsoft.com/fwlink/?LinkId=786380
    <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    <aspNetCore processPath="dotnet" arguments=".\WebIM.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true">
    <environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Development" />
    <globalization uiCulture="en-AU" culture="en-AU" />
    <authentication mode="Windows" />

    Can anyone help out here?

    Much appreciated,

  • Re: IIS 8.5 Windows Authentication

    Feb 09, 2019 03:20 PM|Madness80|LINK

    What are the error message details of the HTTP 500 Internal Server Error?

  • Re: IIS 8.5 Windows Authentication

    Feb 11, 2019 01:52 AM|kmclean|LINK


    The message is:

    The website cannot display the page

     HTTP 500

    Most likely causes:

    • The website is under maintenance.

    The website has a programming error.

    What you can try:

    Refresh the page.

    Go back to the previous page.

    More information

    This error (HTTP 500 Internal Server Error) means that the website you are visiting had a server problem which prevented the webpage from displaying.

    For more information about HTTP errors, see Help.


  • Re: IIS 8.5 Windows Authentication

    Feb 11, 2019 03:20 PM|Madness80|LINK

    You need to tell IIS to display the details of the error. In the web.config file add the bolded lines to the appropriate sections.

            <customErrors mode="Off" />
            <httpErrors errorMode="Detailed" />

    If that doesn't work, then you will need to enable failed request tracing for 500 errors. (You might want to do this anyway!) See https://docs.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis-85

    In that example they create an error situation for 404.2  to test with. You won't need to do that. Start at the "Enable Failed-Request Tracing" section and set it up for a 500 status code. 

  • Re: IIS 8.5 Windows Authentication

    Feb 12, 2019 08:10 AM|kmclean|LINK

    So it seems when the app runs it is actually picking up the logged in user but only if I set the ApplicationPool Identity to a Custom Account rather than just ApplicationPoolIdentity.

    This will get me over the line for the time being for testing but I still need to work out why I'm getting the 500 error when using the ApplicationPoolIdentity.  I have updated my web.config like you said and it didn't show any extra info so I'll follow the steps in the link you sent.  Thanks very much for taking the time to help : )

  • Re: IIS 8.5 Windows Authentication

    Feb 12, 2019 03:47 PM|Madness80|LINK

    Did you grant access to the IIS_IUSRS group on the file system security? https://docs.microsoft.com/en-us/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis

  • Re: IIS 8.5 Windows Authentication

    Feb 13, 2019 08:14 AM|kmclean|LINK

    Hi, yes I did grant access to the IIS_IUSRS group.  On reading the document you sent the link for it looks like it's because the anonymous account needs rights on the network so I think I'll just create a service account where the password doesn't expire and set the user name and password manually.

    Thank you for all your help.