Issue

After upgrade to FIM 2010 R2 SP1 an interesting issue arose.  We had 2 accounts, a normal account and his administrator account.  The normal account worked fine and saw the typical user portal.  The admin account however, could not authenticate.  We saw a 401 Unauthorized.

Application Event log

Event ID 1314, ASP.Net 2.0.50727.0

Event code: 4007
Event message: URL authorization failed for the request.
Event time: 5/21/2013 11:38:56 AM
Event time (UTC): 5/21/2013 6:38:56 PM
Event ID: 6ec7a819942040dc9c722d60edaeaeec
Event sequence: 82
Event occurrence: 1
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/1677053101/ROOT-1-130136351022623492
    Trust level: WSS_Minimal
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\80\
    Machine name: R2SP1
 
Process information:
    Process ID: 2184
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE
 
Request information:
    Request URL: http://r2sp1/IdentityManagement/default.aspx
    Request path: /IdentityManagement/default.aspx
    User host address: fe80::ac0f:5c9b:c749:586e/
    User: CONTOSO\Administrator
    Is authenticated: True
    Authentication Type: Negotiate
    Thread account name: CONTOSO\Administrator

Cause:

Domain Users was not included in the Allow group of the .NET Authorization Rules for the SharePoint-80 site inside of IIS Manager.

Resolution:

1. On the machine hosting the FIM Portal
2. From Administrative Tools select Internet Information Services (IIS) Manager
3. Expand the Server, then Sites and select SharePoint-80
4. Under ASP.NET double click on .NET Authorization Rules
    
5. Double click on the row for Local to display the Edit Allow Authorization Rule dialogue
6. The default is All Users.  If you are using "Specified Roles or User Groups" then ensure that the group specified contains the Domain Users group

See also

• [REFERENCE] Service Is Not Available Troubleshooter