Oh my God, this is the kind of stuff that makes you want to kill yourself. So basically I had this problem where I had two web applications that both used windows authentication mode, and each application had it's own app pool. The first one was working fine, then I published and attempted to run the second one, and all hell broke loose.
All of a sudden, users could no longer log into the first web application, nor were users able to log into the second one. Before, pass-through authentication worked without prompting the users for credentials, but now not only did it request credentials three times but it kicked the following error even on valid credentials:
401 - Unauthorized: Access is denied due to invalid credentials.
It turns out that the reason this happened was because IIS7 does not support multiple app pools running windows authentication mode by default. In order to use windows authentication with multiple app pools, you need to either:
- Place all your WAM applications in a single app pool (This user can be ApplicationPoolIdentity as long as this is the ONLY app pool that has WAM apps)
- Assign a unique user account to each WAM app pool
- Disable kernel mode authentication
As far as I can tell, disabling kernel mode authentication is the ONLY way to keep your credentials passing through without prompting your users for a login.
To disable kernel mode authentication, run the following from a command prompt:
%windir%\system32\inetsrv\appcmd set config /section:windowsAuthentication /useKernelMode:false