I'm trying to connect to a asp.net website we have created. It uses Windows authentication and it denies access to non authenticated users
web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
The website is in our DMZ. The server is connected to the domain. It's working without problems when I try to connect to the site from our internal network. I get an Authentication Required popup box, fill in my credentials and I can enter the site.
When I connect from an external network, it doesn't work. The browser is connecting to the site but the popup box is never shown. Eventually I get a The connection was reset
Apparently the firewall sees my request as a vulnerability and blocks it. This message can be found in the network package of the firewal:
401 - Unauthorized: Access is denied due to invalid credentials.
That is the same error I get when I connect to the site from an internal location and click cancel or fill in the wrong credentials.
I have already tried this with no luck:
- Move NTLM to the top of my providers
- Use Kerberos authentication
- Check the modules in IIS: Both WindowsAuthentication and WindowsAuthenticationModule are there
- Adding the DisableStrictNameChecking and DisableLoopbackCheck to the registry
- Allow anonymous authentication (IIS level)
- Allow basic authentication (IIS level)
- Allow all users with windows authentication (in web.config): Basically deleting the authorization node. This uses anonymous and it works. The site can be accessed, but the user is not authenticated and does not see his personal reports (so unusable)
- Change the application pool user
- Give access rights on the arp folder to IUSR
Why are there two 401 statusses when I go to the site? This causes the firewall to block traffic and thus never show the Authentication Required popup.
