In the process of debugging an issue with a sample web application, I was forced to learn a bit more about IIS7′s management model, and I found some very valuable information.
The problem: the user my request was running as did not have ACL-level access to the .svc file for that web service.
My old solution: Try random accounts before giving up and just giving access to "Everyone" for the entire web tree. (Yes, bad, but it’s a sample)
My hope: There is a way to find out via logs, console, etc what the actual user is based on the actual failure rather than looking at all security configurations and randomly trying the referenced accounts.
What I found:
Open IIS manager, click at the web site level, and choose "Failed Request Tracing Rules"
On the right, choose "Edit Site Tracing…"
Check "Enable", and note the location of the log files (note, there are implications on production sites. I don’t know what they are. Be warned.)
Now, click "Add…" on the right, and choose your settings:
When you finish, you’ll see something like this:
At this point, you can go to your logs folder and see the XML results of any errors that match your filters:
Opening one of those applies a nice transform (freb.xsl, I assume), and we have our data:
Including my answer:
And lots of other cool information:
And a summary view:
Including some really useful information that I would usually try to get out of Fiddler2 because of the challenge in collecting it in some configurations: