Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Sharepoint impersonates the IUSR account and is denied access to resources

Sharepoint impersonates the IUSR account and is denied access to resources

View products that this article applies to.

Symptoms

Consider the following scenario:

You have configured a Forms-based authentication Web Application on a Sharepoint 2010 Server.

Symptom 1:

On trying to generate an Audit report, you receive the following error:

System.Runtime.InteropServices.COMException: Error HRESULT E_FAIL has been returned from a call to a COM component.

Symptom 2:

You investigate the process execution using Process Explorer ( http://technet.microsoft.com/en-us/sysinternals/bb896653 ) and notice that the process  includes a lot of 

Token NT AUTHORITY\IUSR:3e3

Symptom 3:

You may receive the following error in SQL:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'


↑ Back to the top

Cause

This is expected behavior at the time of creation of this article.

The knowledge base article 979917 states: 

This hotfix makes a new application setting available in ASP.NET 2.0. The new application setting is 'aspnet:AllowAnonymousImpersonation'. You can enable this setting by adding the following section to the Web.config file: 
    <appSettings>
        <add key="aspnet:AllowAnonymousImpersonation" value="true" />
    </appSettings>

To enable this setting, you must have IIS 7 or IIS 7.5 running in Integrated mode. When this setting is enabled, the application runs under the security context of the IUSR identity.
Additionally, creating a Forms-based Authentication Web Application will enable the setting and set it to true.

↑ Back to the top

Resolution

To workaround the issues, you need to determine if the setting is mandatory for your environment, and if not, you can set it to 'false'.

↑ Back to the top

More Information

Be advised that editing the Authentication provider for the web application will re-set the setting to the default value (true).

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2686411
Revision : 1
Created on : 1/7/2017
Published on : 3/16/2012
Exists online : False
Views : 307