Unauthorized error 401.0 for Asp.net mvc site with IIS anonymous authentication

[sivakumar715]

Currently our application using windows authentication and as part new requirement, we are trying to integrate AAD authentication. We have added AAD authentication using OWIN middleware for asp.net web application and it's working fine in local (IIS Express). But facing unauthorized error(401.0) after deploy the same application into on premises VM(IIS).

Below are configuration changes in web.config & IIS.

Web.Config <authentication mode="None" />

IIS (Remote server):

- Code placed in C drive
- Enabled only anonymous authentication 
- Set anonymous user identity as "IUSR" & "Application pool identity"
    - Given folder permissions to "IUSR"

Remote server OS: Windows Server 2012 R2 Standard IIS version is 8.5

@Tratcher @loudej and Team - Please suggest on the solution to fix this issue as it's impacting our production release.

[Tratcher]

<authentication mode="None" />

This doesn't look correct. https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/#configuration-sample

And why specify it in web.config if you're configuring it in IIS directly?

[sivakumar715]

Thanks @Tratcher for looking. I have removed <authentication mode="None" /> from web.config. but. still facing same error "You do not have permission to view this directory or page using the credentials that you supplied."

I have below configuration in applicationHost.config (C:\Windows\System32\inetsrv\config)

<location path="my-iis-site-name">
        <system.webServer>
            <security>
                <authentication>
                    <anonymousAuthentication enabled="true" userName="" />
                    <windowsAuthentication enabled="false" />
                    <basicAuthentication enabled="false" />
                </authentication>
            </security>
        </system.webServer>
    </location>

I have provided site folder permissions to "IUSR" & 'IIS APPPOOL\siteapppool-name". Please suggest us , do we need to give folder permission to any specific user?

[sivakumar715]

hi @Tratcher - On further checking failed request trace logs, 401 error is not due to site folder permissions. It's due to Owin startup is not triggered after deploy in IIS remote server but same code is working fine in local IIS Express.

here is the sampel trace log: IIS Error Trace Logs

please suggest if you come across this issue.

@kevinchalet - pls look into the issue if you aware too.

[Tratcher]

That trace is inaccessible. How would the lack of Owin startup result in a 401? What's being run instead? I'd expect a 404 instead.

[sivakumar715]

hi @Tratcher - Trace log should be accessible now.

How would the lack of Owin startup result in a 401? Since the Owin library is not recognized , i didn't receive microsoft challenge screen and which results in 401 by default.

I have tried the same in local IIS v10 and the same is working fine. I'm suspecting whether .Net framework version cause the issue. Below are the configuration from local & remote.

Microsoft Owin Library version - 4.2.2

Local IIS: IIS version - 10.0 .Net Framework version - 4.8.1 OS - Windows 10

Remote IIS: IIS version - 8.5 .Net Framework version - 4.5.1 OS - WIndows Server 2012 R2 Standard

please check & clarify me if you also think .net framework cause the issue.

I have used SystemWebCookieManager in my owin startup file and seems "SystemWebCookieManager depends on the .NET 4.7.2 System.Web APIs to enable SameSite support" as per below article. https://learn.microsoft.com/en-us/aspnet/samesite/owin-samesite#api-usage-with-samesite

owin startup:

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                CookieManager = new SystemWebCookieManager()
            });
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    ClientSecret = clientSecret,
                    Authority = authority,
                    RedirectUri = redirectUri,
                    Scope = string.Concat(OpenIdConnectScope.OpenIdProfile, " ", OpenIdConnectScope.Email),
                    ResponseType = OpenIdConnectResponseType.Code,
                    CookieManager = new SystemWebCookieManager(),
                    RedeemCode = true,

                    TokenValidationParameters = new TokenValidationParameters()
                    {
                        ValidateIssuer = true,
                        ValidIssuer = authority
                    }
                }
            );

[AlexanderStromer]

Hi all,

it might seem unrelated, but a very similar behaviour kept me busy for days (unreasonable 401 response). The site was working fine (302s to Microsoft's Azure AD) for years but since 18 Apr 2023 started returning 401s. After deep digging and debugging the OWIN library itself (also adding a few more trace log entries and using my self compiled Microsoft.Owin.dll), I managed to find that GetConfigurationAsync never yielded . https://github.com/aspnet/AspNetKatana/blob/dbe159e43e2eee44f315f26268943e8ab5a4f60d/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs#L148 The underlying issue can be logged by explicitly calling GetConfigurationAsync yourself before you call "Challenge". The underlying issue is that OWIN still contacts the Microsoft server (https://login.microsoftonline.com/) via an outdated TLS protocol (1.0 / 1.1) and not TLS 1.2+. Enforcing TLS 1.2+ through server registry was ignored and the issue still persists.

Here is my stack overflow response for a similar question and suggested solution: https://stackoverflow.com/questions/76047299/getconfigurationasync-for-openidconnectconfiguration-returns-object-reference-no/76109379#76109379

[Tratcher]

Are you able to use remote debugging on the IIS server?

You may need to update your .NET version on the server for this to work correctly. 4.5.1 has been out of support for a while now.

[AlexanderStromer]

Hi @Tratcher,

Thank you for your time.

My setup is different from the person opening the case. I am running a rather complex ASP.NET WebForms app (only little MVC; scenario is part of WebForms flow) with .NET Framework 4.8.

As for debugging, I am attaching VS to the IIS process (debugging the IIS process itself) and I am able to hook into the callbacks in my application. I can step deeper after! the callback. L148 happens before a callback, so I am not able to inspect the issue there. I have not gone through the trouble of joining OWIN to my app as a project and debugging that (which would let me put debug points anywhere). I just compiled my own OWIN library with additional tracing logs and noticed that no tracelog is happening after L148 of above code.

hth