IIS 7.5 .ASPX 401.3 – Unauthorized for IUSR Account

After installing all prerequisite dependencies and setting up a XenApp 6.5 Web Interface 5.4 on IIS 7.5, I was getting the error “401.3 – Unauthorized: Access is denied due to an ACL set on the requested resource” whenever I tried to access the web interface front end using the default IUSR account for anonymous authentication. I tried every combination of troubleshooting I could think of: looked through IIS logs, changed the Anonymous Authentication credentials to use the Application pool identity instead of IUSR, changed the application pool’s identity to run as NetworkService instead of ApplicationPoolIdentity, added NTFS ACL read permissions for IUSR and IIS_IUSRS on the entire Citrix web directory, Uninstalled the web interface, reinstalled the web interface, but the end result was still a 401.3 access denied error.


After much frustration and countless googling 401.3 errors, I decided to take a step back and perform my usual lower level troubleshooting procedures. I created a test.html and test.aspx file, then tried to hit one at a time. Bingo. I could access the test.html file but not test.aspx. The problem was now narrowed down to be permissions related with aspx files only.

I traced the w3wp.exe process using procmon and found that it was accessing aspnet_isapi.dll in the .NET 2.0 x86 framework folder (C:\Windows\Microsoft.NET\Framework\v2.0.50727) but it was successful.


“The asp.dll ISAPI extension executes the requested ASP page and returns its generated HTML markup. If your Web site serves up ASP.NET Web pages, IIS has mapped the .aspx to aspnet_isapi.dll, an ISAPI extension that starts off the process of generating the rendered HTML for the requested ASP.NET Web page. The aspnet_isapi.dll ISAPI extension is a piece of unmanaged code. That is, it is not code that runs in the .NET Framework. When IIS routes the request to the aspnet_isapi.dll ISAPI extension, the ISAPI extension routes the request onto the ASP.NET engine(aspnet_wp.exe), which is written in managed code – managed code is code that runs in the .NET Framework.”


Even though it was successful, this was my only lead and then decided it wouldn’t hurt to try adding NTFS permissions to it’s ACL. After adding the IUSR account to the ACL of this file, the Citrix Web Interface aspx pages loaded and there was no more 401 error. Boom ^_^

Categories: CitrixIISWindows
Tags: 401.3IUSR
Disqus Comments Loading...
All Rights ReservedRegular Version