Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Issue
After upgrade to FIM 2010 R2 SP1 an interesting issue arose. We had 2 accounts, a normal account and his administrator account. The normal account worked fine and saw the typical user portal. The admin account however, could not authenticate. We saw a 401 Unauthorized.
Application Event log
Event ID 1314, ASP.Net 2.0.50727.0
Event code: 4007
Event message: URL authorization failed for the request.
Event time: 5/21/2013 11:38:56 AM
Event time (UTC): 5/21/2013 6:38:56 PM
Event ID: 6ec7a819942040dc9c722d60edaeaeec
Event sequence: 82
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1677053101/ROOT-1-130136351022623492
Trust level: WSS_Minimal
Application Virtual Path: /
Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\80\
Machine name: R2SP1
Process information:
Process ID: 2184
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: http://r2sp1/IdentityManagement/default.aspx
Request path: /IdentityManagement/default.aspx
User host address: fe80::ac0f:5c9b:c749:586e/
User: CONTOSO\Administrator
Is authenticated: True
Authentication Type: Negotiate
Thread account name: CONTOSO\Administrator
Cause:
Domain Users was not included in the Allow group of the .NET Authorization Rules for the SharePoint-80 site inside of IIS Manager.
Resolution:
- On the machine hosting the FIM Portal
- From Administrative Tools select Internet Information Services (IIS) Manager
- Expand the Server, then Sites and select SharePoint-80
- Under ASP.NET double click on .NET Authorization Rules
- Double click on the row for Local to display the Edit Allow Authorization Rule dialogue
- The default is All Users. If you are using "Specified Roles or User Groups" then ensure that the group specified contains the Domain Users group