Why does my MVC3 Intranet site windows authentication not work when published

Question

We have a simple intranet site in MVC3 and entity framework. Everything works fine for running in debug from visual studio. When I publish the site to either my local boxes IIS7.5 webserver or to a dev box on the same domain, then I get prompted for a username and password and it won't connect to the site. It just returns a 401.1 error and curiously shows

Logon Method Not yet determined 
Logon User Not yet determined 

I have verified that the windows authentication is enabled and anonymous authentication is disabled. the application is using the applicationPoolIdentity but I have tried it with Network Services with no difference. The webconfig includes

<authentication mode="Windows" />

and I have tried it with and without the authorization section.

<authorization>
  <allow users="*" />
</authorization>

The only other thing I've found online involved changing a registry entry, but this will eventually be on a production server so I'm not comfortable making registry changes just for this.

running locally with this code block returns all the expected information

<div id="title">
    <h4> Environment.UserName: @Environment.UserName  
    @DateTime.Now.Millisecond.ToString() </h4>
    @foreach (var role in Roles.GetRolesForUser())
    {
        role.ToString(); <br />
    }
</div>
<div id="logindisplay">
    Context.User.Identity.Name <strong>@Context.User.Identity.Name</strong>!<br />
    @Environment.UserDomainName
</div>

It is an MVC3 Web Application. The IIS Authentication switches are

Anonymous Authentication     Disabled
ASP.NET Impersonation        Disabled
Forms Authentication         Disabled
Windows Authentication       Enabled

Any other ideas or things I'm missing?

Answer 1

This Article on MSDN illustrates how to setup an IIS 7 MVC3 Intranet Website: http://msdn.microsoft.com/en-us/library/gg703322(VS.98).aspx

The interesting piece that relates to you is most likely the last section on Impersonation. If you run your site as Windows Authentication but have Impersonation off you will be reading/executing the files for the website using the authenticated identity. That means each user who wants to access the site will need folder/file permissions.

To avoid that, use Windows Auth to allow users to authenticate but use Impersonation to use a single identity to access the folder/files.