Sharepoint impersonates the IUSR account and is denied access to resources

Applies to: Microsoft SharePoint Foundation 2010SharePoint Server 2010

Symptoms


Consider the following scenario:

You have configured a Forms-based authentication Web Application on a Sharepoint 2010 Server.

Symptom 1:

On trying to generate an Audit report, you receive the following error:

System.Runtime.InteropServices.COMException: Error HRESULT E_FAIL has been returned from a call to a COM component.

Symptom 2:

You investigate the process execution using Process Explorer ( http://technet.microsoft.com/en-us/sysinternals/bb896653 ) and notice that the process  includes a lot of 

Token NT AUTHORITY\IUSR:3e3

Symptom 3:

You may receive the following error in SQL:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'


Cause


This is expected behavior at the time of creation of this article.

The knowledge base article 979917 states: 

This hotfix makes a new application setting available in ASP.NET 2.0. The new application setting is 'aspnet:AllowAnonymousImpersonation'. You can enable this setting by adding the following section to the Web.config file: 
    <appSettings>
<add key="aspnet:AllowAnonymousImpersonation" value="true" />
</appSettings>

To enable this setting, you must have IIS 7 or IIS 7.5 running in Integrated mode. When this setting is enabled, the application runs under the security context of the IUSR identity.
Additionally, creating a Forms-based Authentication Web Application will enable the setting and set it to true.

Resolution


To workaround the issues, you need to determine if the setting is mandatory for your environment, and if not, you can set it to 'false'.

More Information


Be advised that editing the Authentication provider for the web application will re-set the setting to the default value (true).