Hi All,

I’m setting up a simple Classic ASP application, to read the user login using Windows Authentication, in IIS 7.5 on a Windows 2008 R2 Server.
(The application is just one file and has this line - response.write(Request.ServerVariables("LOGON_USER ")) )

But I’m unable to read the user’s login information unless the code files (application directory) are given Read & Execution permissions to the specific person or ‘Everyone’.
If I remove ‘Everyone’ or the end user’s Id, I’m prompted to a login pop-up which subsequently takes me to the 401 - Unauthorized error.

I’ve the following settings applied in the IIS…

  1. Set the Application Pool’s identity to ‘ApplicationPoolIdentity’
  2. Enabled Windows Authentication and disabled all other Authentications.
  3. Moved ‘NTLM’ to top on the Providers under Windows Authentication.
  4. Set the Impersonate User to False in CGI
  5. Added ‘IIS AppPool\DefaultAppPool’ to the Security properties of the application directory.



I’m confused why IIS 7.5 web applications with Windows Authentication needs end users or ‘Everyone’ to have read access to the code files.

Please suggest your views to resolve this problem and help me run this application without the folders being shared with the end users.

Thanks in advance,
Ashok