Question / Problem:
What causes "No roles found" error using Windows authentication for some Insight applications but not others?
Answer / Solution:
That will occur if the .Net Authorization Rules in IIS are configured to allow Anonymous access for the non-working applications (e.g., Studio) and deny Anonymous access for working applications (e.g. Admin). By default, all users are granted access and priority is given to Anonymous which will not return Active Directory information to authenticate the user.
Admin and Studio are configured for Windows authentication using Fixed Values in Insight. The role's Fixed value mapping is configured to allow both applications access provided the memberOf Active Directory property meets the value configured (the value is not relevant here).
When a user tests Admin, it works as expected by presenting a Windows login prompt. The user enters his/her Windows credentials and Admin starts. However, when that same user attempts to log into Studio, "No roles found." is shown but no Windows login prompt was displayed.
Analysis and Resolution:
In IIS Manager, check the Admin application's (i.e., the working application's) .Net Authorization Rules and compare the settings with the non-working application's .Net Authorization Rules (e.g. Studio in this example). Admin's settings may be configured to deny Anonymous users (hence, the login prompt because IIS will be forced to use Windows authentication at this point ) whereas Studio's settings may be configured to "Allow / All users". By default, that setting gives priority to Anonymous account. To force Windows authentication, add a rule to deny Anonymous users.
.Net Authorization Rules work closely with the application's Authentication settings. Both are application-level settings in IIS.