Pass-through authentication not working. IIS 7

active-directory, iis-7, pass-through, windows-authentication

On IIS 7 I set up an application called "XYZ", and an application pool for it.

I set the identity of this application pool to a custom user, let's call it "Mario".

Mario has NTFS access to the folder/files in which XYZ points to (remote share).

In the XYZ authentication settings, only windows authentication is enabled:

Authentication Settings

In the providers for windows authentication, only NTLM is active:

enter image description here

Physical path credentials for XYZ are set to application user / pass-through:

enter image description here

So the problem is, when I go to http://server.com/XYZ I get challenged (which is to be expected), but I does not matter what I put in, it looks like the authentication token is not accepted, and the browser challenges me again.

I have looked at logs for Active Directory and the requests are coming through, but even when the user is successfully authenticated the browser challenges again.

HERE'S THE GOAL: to allow directory listing, but to use credentials provided by the user for NTFS access. Right now I can't get that to work. THANK YOU!

Here's the Web.config file:

enter image description here

Best Solution

The trick to getting this to work is to add 'Users' to the permissions. Set up IIS just like you have with NTLM as the top provider, Windows Authentication only enabled (you can get rid of the section in the web.config, all you need is <authentication="Windows" />) and add IIS_USRS and Users to the permission set.