Sharepoint impersonates the IUSR account and is denied access to resources

Symptoms

Consider the following scenario:

You have configured a Forms-based authentication Web Application on a Sharepoint 2010 Server.

Symptom 1:

On trying to generate an Audit report, you receive the following error:

System.Runtime.InteropServices.COMException: Error HRESULT E_FAIL has been returned from a call to a COM component.

Symptom 2:

You investigate the process execution using Process Explorer ( http://technet.microsoft.com/en-us/sysinternals/bb896653 ) and notice that the process  includes a lot of 

Token NT AUTHORITY\IUSR:3e3

Symptom 3:

You may receive the following error in SQL:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'


Cause

This is expected behavior at the time of creation of this article.

The knowledge base article 979917 states: 

This hotfix makes a new application setting available in ASP.NET 2.0. The new application setting is 'aspnet:AllowAnonymousImpersonation'. You can enable this setting by adding the following section to the Web.config file: 
    <appSettings>
<add key="aspnet:AllowAnonymousImpersonation" value="true" />
</appSettings>

To enable this setting, you must have IIS 7 or IIS 7.5 running in Integrated mode. When this setting is enabled, the application runs under the security context of the IUSR identity.
Additionally, creating a Forms-based Authentication Web Application will enable the setting and set it to true.

Resolution

To workaround the issues, you need to determine if the setting is mandatory for your environment, and if not, you can set it to 'false'.

More Information

Be advised that editing the Authentication provider for the web application will re-set the setting to the default value (true).
Properties

Article ID: 2686411 - Last Review: Mar 16, 2012 - Revision: 1

Feedback