I have an ASP.NET MVC 3 application running on both my local dev box (Win7) and staging server (W2k8r2). The application operates fine in both environments until ASP.NET Windows authorization security is enabled.
After securing the web-app, it continues operates correctly on the staging server but generates 401.2 access denied’s on my local dev box. The only significant difference I can see is on local dev box, I’m using Cassini via Visual Studio whereas the server is IIS7.5.
Windows authorization + impersonation is being used. What could cause Cassini to generate these 401.2 access denied?
Web.config is:
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<!-- replication of system.webServer security settings for cassini which doesn't process them... -->
<authorization>
<allow roles=".\Test Application - Users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="Test Application - Users" />
</authorization>
</security>
FYI Relevant users are in the ‘Test Application – Users’ Windows security group on each system.
Solution
The underlying issue on the dev box turned out to be that:
- Cassini doesn’t support identity impersonation and
- Whilst the user had been added to relevant NT groups, they had not logged off/on and thus the group SID’s associated with their Windows token had not been refreshed
If impersonation had been supported by Cassini I doubt this would have been an issue because a new token would have been established within the impersonation context. Thanks to @x0n for pointing in the right direction.
i’m not entirely sure, but I don’t think cassini can impersonate (iis express can, however.)