FIM Troubleshooting: Portal access - URL authorization failed for the request
Issue
After upgrade to FIM 2010 R2 SP1 an interesting issue arose. We had 2 accounts, a normal account and his administrator account. The normal account worked fine and saw the typical user portal. The admin account however, could not authenticate. We saw a 401 Unauthorized.
Application Event log
Event ID 1314, ASP.Net 2.0.50727.0
Event code: 4007
Event message: URL authorization failed for the request.
Event time: 5/21/2013 11:38:56 AM
Event time (UTC): 5/21/2013 6:38:56 PM
Event ID: 6ec7a819942040dc9c722d60edaeaeec
Event sequence: 82
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1677053101/ROOT-1-130136351022623492
Trust level: WSS_Minimal
Application Virtual Path: /
Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\80\
Machine name: R2SP1
Process information:
Process ID: 2184
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: http://r2sp1/IdentityManagement/default.aspx
Request path: /IdentityManagement/default.aspx
User host address: fe80::ac0f:5c9b:c749:586e/
User: CONTOSO\Administrator
Is authenticated: True
Authentication Type: Negotiate
Thread account name: CONTOSO\Administrator
Cause:
Domain Users was not included in the Allow group of the .NET Authorization Rules for the SharePoint-80 site inside of IIS Manager.
Resolution:
- On the machine hosting the FIM Portal
- From Administrative Tools select Internet Information Services (IIS) Manager
- Expand the Server, then Sites and select SharePoint-80
- Under ASP.NET double click on .NET Authorization Rules
- Double click on the row for Local to display the Edit Allow Authorization Rule dialogue
- The default is All Users. If you are using "Specified Roles or User Groups" then ensure that the group specified contains the Domain Users group