Categories: Citrix IIS Windows

IIS 7.5 .ASPX 401.3 – Unauthorized for IUSR Account

after installing all prerequisite dependencies and setting up a xenapp 6.5 web interface 5.4 on iis 7.5, i was getting the error “401.3 – unauthorized: access is denied due to an acl set on the requested resource” whenever i tried to access the web interface front end using the default iusr account for anonymous authentication. i tried every combination of troubleshooting i could think of: looked through iis logs, changed the anonymous authentication credentials to use the application pool identity instead of iusr, changed the application pool’s identity to run as networkservice instead of applicationpoolidentity, added ntfs acl read permissions for iusr and iis_iusrs on the entire citrix web directory, uninstalled the web interface, reinstalled the web interface, but the end result was still a 401.3 access denied error.


after much frustration and countless googling 401.3 errors, i decided to take a step back and perform my usual lower level troubleshooting procedures. i created a test.html and test.aspx file, then tried to hit one at a time. bingo. i could access the test.html file but not test.aspx. the problem was now narrowed down to be permissions related with aspx files only.

i traced the w3wp.exe process using procmon and found that it was accessing aspnet_isapi.dll in the .net 2.0 x86 framework folder (c:\windows\\framework\v2.0.50727) but it was successful.


“the asp.dll isapi extension executes the requested asp page and returns its generated html markup. if your web site serves up web pages, iis has mapped the .aspx to aspnet_isapi.dll, an isapi extension that starts off the process of generating the rendered html for the requested web page. the aspnet_isapi.dll isapi extension is a piece of unmanaged code. that is, it is not code that runs in the .net framework. when iis routes the request to the aspnet_isapi.dll isapi extension, the isapi extension routes the request onto the engine(aspnet_wp.exe), which is written in managed code – managed code is code that runs in the .net framework.”


even though it was successful, this was my only lead and then decided it wouldn’t hurt to try adding ntfs permissions to it’s acl. after adding the iusr account to the acl of this file, the citrix web interface aspx pages loaded and there was no more 401 error. boom ^_^

Disqus Comments Loading...

Recent Posts

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

May 14, 2019 8:22 am 08:22

Change Grub Default Boot Entry on Linux Mint

i'm dual booting windows and linux mint on my laptop. the grub default is to boot into linux mint, however… Read More

April 23, 2019 7:45 pm 19:45

How to Reset Secure Channel On Active Directory Domain Controller

when you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More

April 21, 2019 8:14 am 08:14

Run SystemD Script Before System Shutdown

for the sheer hell of it, a few weeks ago i wanted to see if i could properly and successfully… Read More

April 20, 2019 10:14 am 10:14

Learn Systemctl Usage to Manage Systemd Service in Linux

systemd is new service manager for linux. it's a replacement for all previous init systems (sysv/sysvinit & ubuntu's upstart) and… Read More

April 20, 2019 7:55 am 07:55

Force Delete Windows Server DHCP Failover Relationship

if you've found yourself here then chances are you messed up one of your domain controllers or at least one… Read More

April 20, 2019 5:54 am 05:54