IWA authentication fails with a 403 Forbidden Error

Document ID : KB000005044
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

After updating my IIS 7 web agents from 12.0 to 12.51, I can no longer get IWA to work properly, and we are receiving 403 Forbidden errors. After uninstalling the webagent, and reinstalling 12.0, functionality is restored. 

 

In the web agent logs, we see the following:

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][federation agent][** Received request from agent][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Look up a cached object.][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Enter function CSm_Auth_Message::AnalyzeAgentAuthMessage][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Retrieve an object from the object cache.][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Retrieve an object from the object cache.][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Leave function CSm_Auth_Message::AnalyzeAgentAuthMessage][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Enter function CSm_Auth_Message::AuthenticateUser][][]

[12/05/2016][18:23:12][4077976432][IISTESTIWA][][][5][0][Integrated Windows Authentication][NT AUTHORITY\IUSR][][/IISTESTIWA/][][][][federation agent][Authenticating user.][][]

Environment:
Applies to all supported environments upgrading from 12.0 to at least 12.51
Cause:

Between 12.0 and 12.51, there was a change in the default values of IIS in the "inlinecredentials" ACO parameter. This allows the webagent to use the Anonymous Authentication, rather than using Windows Authentication. If IIS has Anonymous Authentication enabled, this will use the IUSR user, rather than the user specified with Windows Authentication, and ignore the Windows Authentication. 

Resolution:

Do one of two things:

1. Set inlinecredentials ACO parameter to be "no". This will prevent Single Sign On from utilizing Anonymous Authentication.

2. Set IIS Anonymous Authentication to be "false". This will allow IIS to use Windows Authentication.