How to solve 401.2 errors related to Windows Authentication and the BUILTIN\Administrators role in IIS 7

by Peter Tyrrell Tuesday, July 06, 2010 3:28 PM


An ASP.NET web application set to use Windows authentication where the web.config allows/denies authorization based on Windows roles, which references the BUILTIN\Administrators role specifically.

Your account is in the BUILTIN\Administrators group. The web application is running on a Windows OS with User Account Control [UAC] enabled. (hint HINT.)

Here's an example taken straight from official Microsoft Patterns and Practices: How To: use Windows Authentication in ASP.NET 2.0.



Even though your account is in the BUILTIN\Administrators group - you checked three times, pinching yourself in case you were dreaming - you cannot authenticate to get in to the web application. Instead, you get 401.2 errors.


You know your credentials are correct, because if you deliberately screw up your password, you get a 401.1 error. If you allow your specific account (DOMAIN\frustratedguy) in web.config, you can authenticate as normal.

It's as if the app doesn't think you are a member of the BUILTIN\Administrators role at all...


In fact, as far as the app is concerned, you are not a member of BUILTIN\Administrators. UAC has cast you out from that divine realm, and you no longer hold the keys to heaven.

using System.Web.Security

Listing roles might get you a list like:

None,Everyone,HomeUsers,BUILTIN\Users,NT AUTHORITY\NETWORK,NT AUTHORITY\Authenticated Users,NT AUTHORITY\This Organization,NT AUTHORITY\NTLM Authentication

No BUILTIN\Administrators. Allow another of those roles in web.config and your credentials will authenticate.

Myself, I didn't know how UAC actually worked. I knew that it didn't let me operate in the context of Administrator unless explicitly told to do so, but I didn't realize that meant that a role check would fail to find me in the Administrators group. Live and learn.


blog comments powered by Disqus

Month List