Categories: CitrixIISWindows

IIS 7.5 .ASPX 401.3 – Unauthorized for IUSR Account

After installing all prerequisite dependencies and setting up a XenApp 6.5 Web Interface 5.4 on IIS 7.5, I was getting the error “401.3 – Unauthorized: Access is denied due to an ACL set on the requested resource” whenever I tried to access the web interface front end using the default IUSR account for anonymous authentication. I tried every combination of troubleshooting I could think of: looked through IIS logs, changed the Anonymous Authentication credentials to use the Application pool identity instead of IUSR, changed the application pool’s identity to run as NetworkService instead of ApplicationPoolIdentity, added NTFS ACL read permissions for IUSR and IIS_IUSRS on the entire Citrix web directory, Uninstalled the web interface, reinstalled the web interface, but the end result was still a 401.3 access denied error.


After much frustration and countless googling 401.3 errors, I decided to take a step back and perform my usual lower level troubleshooting procedures. I created a test.html and test.aspx file, then tried to hit one at a time. Bingo. I could access the test.html file but not test.aspx. The problem was now narrowed down to be permissions related with aspx files only.

I traced the w3wp.exe process using procmon and found that it was accessing aspnet_isapi.dll in the .NET 2.0 x86 framework folder (C:\Windows\Microsoft.NET\Framework\v2.0.50727) but it was successful.


“The asp.dll ISAPI extension executes the requested ASP page and returns its generated HTML markup. If your Web site serves up ASP.NET Web pages, IIS has mapped the .aspx to aspnet_isapi.dll, an ISAPI extension that starts off the process of generating the rendered HTML for the requested ASP.NET Web page. The aspnet_isapi.dll ISAPI extension is a piece of unmanaged code. That is, it is not code that runs in the .NET Framework. When IIS routes the request to the aspnet_isapi.dll ISAPI extension, the ISAPI extension routes the request onto the ASP.NET engine(aspnet_wp.exe), which is written in managed code – managed code is code that runs in the .NET Framework.”


Even though it was successful, this was my only lead and then decided it wouldn’t hurt to try adding NTFS permissions to it’s ACL. After adding the IUSR account to the ACL of this file, the Citrix Web Interface aspx pages loaded and there was no more 401 error. Boom ^_^

Disqus Comments Loading...

Recent Posts

Bittorrent IP Blocklists

In addition to using a VPN service, as an extra precaution I've been using the blocklist feature of my bittorrent… Read More

October 26, 2019 3:31 pm

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

June 7, 2019 3:44 pm

Change Grub Default Boot Entry on Linux Mint

I'm dual booting Windows and Linux Mint on my laptop. The grub default is to boot into Linux Mint, however… Read More

April 23, 2019 7:45 pm

How to Reset Secure Channel On Active Directory Domain Controller

When you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More

April 21, 2019 8:14 am

Run Systemd Script Before System Shutdown

I tried to retain the NGINX FastCGI cache and have it persist across system reboots instead of being ephemeral by… Read More

April 20, 2019 10:14 am

Learn Systemctl Usage to Manage Systemd Service in Linux

Systemd is new service manager for Linux. It's a replacement for all previous init systems (SysV/SysVinit & Ubuntu's Upstart) and… Read More

April 20, 2019 7:55 am