The partner reported they could log into web client just fine from the SQL Server. However, when they launched web client from the Web Server that host the Dynamics GP web application, they received:
HTTP Error 500.0 - Internal Server Error
Now, this error is a pretty generic error. In addition to not being able to log in, the landing page would not display the Microsoft Dynamics GP logo.
Troubleshooting the Issue
The partner had tried the following troubleshooting techniques:
- Repaired Microsoft Dynamics GP web components
- Uninstalled and reinstalled web components
- Rebooted the server
Usually, after trying options 1 and 2, if you are still experiencing issues not allowing you to bypass the login window, you know you are facing a pre-requisite configuration issue.
Reading the Detailed Error Information section, you will notice that the error was caused by an authentication request, trying to access an image resource file using Anonymous Authentication by an Anonymous user. In simple terms, this is a permissions issue.
Upon inspecting the GP website authentication setting, the partner noticed the credentials for the anonymous user identity were set to IUSR.
So what's the big deal?
Anonymous authentication gives users access to the public areas of your website without prompting them for a user name or password. When a user attempts to connect to your public Web site, your Web server assigns the user to the Windows user account called IUSR.
By default, the IUSR account is included in the IIS_USRS built-in group. This group has security restrictions, imposed by NTFS permissions that designate the level of access and the type of content available to public users. With that said, websites such as the GP web belong in the private domain and most organizations disable anonymous authentication totally for the GP websites and revoke access to the IUSR account or IIS_USRS group to the website folder to prevent unauthorized access.
If you are running IIS 7.5 on Windows Server 2008 R2, or a later version of IIS, for every application pool you create, the Identity property of the new application pool is set to ApplicationPoolIdentity by default. The IIS Admin Process (WAS) will create a virtual account with the name of the new application pool and run the application pool's worker processes under this account by default.
By setting the ApplicationPoolIdentity as the anonymous user account for a site, you can isolate content and configuration for that site so that no other sites on the same IIS web server can access it, even if you have enabled anonymous authentication. GP web client installation allows you to specify a domain account as the identity for the Web Management Console and GP web application pools. The installer in turn will ensure the proper permissions are given to the folders hosting the web site and the GP web components.
This is particularly useful if you are a hosting provider running multiple customer websites on a single IIS server. Having the ability to control the website access and the content that is displayed is very important.
For a primer on IUSR vs application pool identity, take a look at the following article by Tristan K.
IUSR vs Application Pool Identity – Why use either?
In this particular case, switching the Anonymous Authentication credentials from IUSR to ApplicationPoolIdentity fixed the issue, although, keep in mind that the GP web client does not require anonymous authentication to be enabled.
Until next post!
Mariano Gomez, MVP