Categories: Citrix IIS Windows

IIS 7.5 .ASPX 401.3 - Unauthorized for IUSR Account

After installing all prerequisite dependencies and setting up a XenApp 6.5 Web Interface 5.4 on IIS 7.5, I was getting the error "401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource" whenever I tried to access the web interface front end using the default IUSR account for anonymous authentication. I tried every combination of troubleshooting I could think of: looked through IIS logs, changed the Anonymous Authentication credentials to use the Application pool identity instead of IUSR, changed the application pool's identity to run as NetworkService instead of ApplicationPoolIdentity, added NTFS ACL read permissions for IUSR and IIS_IUSRS on the entire Citrix web directory, Uninstalled the web interface, reinstalled the web interface, but the end result was still a 401.3 access denied error.


After much frustration and countless googling 401.3 errors, I decided to take a step back and perform my usual lower level troubleshooting procedures. I created a test.html and test.aspx file, then tried to hit one at a time. Bingo. I could access the test.html file but not test.aspx. The problem was now narrowed down to be permissions related with aspx files only.

I traced the w3wp.exe process using procmon and found that it was accessing aspnet_isapi.dll in the .NET 2.0 x86 framework folder (C:\Windows\Microsoft.NET\Framework\v2.0.50727) but it was successful.


"The asp.dll ISAPI extension executes the requested ASP page and returns its generated HTML markup. If your Web site serves up ASP.NET Web pages, IIS has mapped the .aspx to aspnet_isapi.dll, an ISAPI extension that starts off the process of generating the rendered HTML for the requested ASP.NET Web page. The aspnet_isapi.dll ISAPI extension is a piece of unmanaged code. That is, it is not code that runs in the .NET Framework. When IIS routes the request to the aspnet_isapi.dll ISAPI extension, the ISAPI extension routes the request onto the ASP.NET engine(aspnet_wp.exe), which is written in managed code - managed code is code that runs in the .NET Framework."


Even though it was successful, this was my only lead and then decided it wouldn't hurt to try adding NTFS permissions to it's ACL. After adding the IUSR account to the ACL of this file, the Citrix Web Interface aspx pages loaded and there was no more 401 error. Boom ^_^

Disqus Comments Loading...

Recent Posts

VMWare vSphere 6.7 ESXTOP Output Garbled

If your VMWare vSphere 6.x environment command output of esxtop looks like a bunch of garbled gibberish (it's actually CSV… Read More

February 28, 2019 7:39 pm 19:39

How To Run RoboCopy Backup in Parallel

From time to time Windows Admins will surprise you with band-aid and bubble gum scripts, that's entirely expected I think.… Read More

February 28, 2019 12:20 pm 12:20

Windows 10 GodMode - The Ultimate Administrator Shortcut

Have you ever wondered what life might be like if the Windows 10 OS somehow had a single folder that… Read More

February 28, 2019 7:58 am 07:58

Samsung Galaxy S9 G960/G965 Stock ROM Firmware Download

There could be any number of reasons for needing to flash manufacturer stock OEM firmware on a Samsung Galaxy S9… Read More

January 24, 2019 7:42 am 07:42

Output IP Address with ipconfig Findstr Ethernet Adapter

How many times have you entered  ipconfig /all at the command line to return a single IP address, then have to strain… Read More

January 20, 2019 12:39 am 00:39

AWS SES Assistance in Enterprise Market - A Must Read

Designing e-mail solutions on a large scale can be a complex and costly challenge for a business: you need to… Read More

December 25, 2018 4:01 pm 16:01