All geek questions in one place

Access denied for .NET Core and IIS Intermittent 403

Alright Stackoverflow, after many fruitless research, I ended up here!

I am trying to get a .NET Core 2.0 site hosted from IIS with Windows and SSL authentication, and no matter what I try, I keep getting inconsistent / intermittent 403 Access access errors.

If something was wrong, I would expect it to never work. However, it may be ~ 3/10 times if I restart the site and application pool. There is nothing useful that I can find in event logs, application logs, or IIS trace logs.

Things I did in a specific order:

  • The application pool works as a gmsa account with rights to my database (prod.service $)
  • Logged in as a service and registered as a batch account for gmsa.
  • Granted IIS_IUSRS, prod.service $ and Domain Users permissions in the root folder. Currently under full control of despair.
  • Granted IIS_IUSRS, prod.service $, and Domain Users permissions for the certificate.
  • Windows Auth Enabled, Anonymous Verification Disabled
  • Set the default document pointing to the first page.
  • Set the application pool to Download Profile
  • Set .NET CLR Version “No Managed Code”
  • Set ForwardWindowsAuthToken to true in web.config
  • NTLM moved to the top of the list as the first auth provider under Site> Authentication> Windows Authentication> Providers

, , . "" , .

web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="dotnet" arguments=".\MCP.MVP.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true" startupTimeLimit="3600" requestTimeout="23:00:00" />
    <defaultDocument>
        <files>
            <add value="/home/index" />
        </files>
    </defaultDocument>
  </system.webServer>
</configuration>

<!--ProjectGuid: [REDACTED] -->

Startup.cs:

services.AddAuthentication(IISDefaults.AuthenticationScheme);    
services.Configure<IISOptions>(options => 
    {
        options.AutomaticAuthentication = true;
    });

Program.cs

public static IWebHost BuildWebHost(string[] args) =>
    WebHost.CreateDefaultBuilder(args)
    .UseIISIntegration()
    .UseStartup<Startup>()
    .Build();

Authorize :

[Authorize(Policy = "RequireViewerRole")]

, Configuration [ "RequireViewerRoles" ] , :

services.AddAuthorization(options =>
        {
            options.AddPolicy("RequireViewerRole", policy => policy.RequireRole(Configuration["RequireViewerRoles"].Split(',')));
        });

.NET Core 2.0, - ?

+4
1

!

401.2 " ". , , , , , . 5 , - .

, . (DomainName\\ ). , , . , IIS, .

0

Source: https://habr.com/ru/post/1696116/

More articles:


All Articles