Re: Logon Window Appears on siblings of authenticated directories

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/18/04 

Date: Wed, 17 Mar 2004 20:51:58 -0800

I really cannot reproduce what you are claiming, so I need your help with
some more concise info. Many people have claimed bugs similar to this, but
I've yet to see the issue as a bug in IIS (many have been resolved as user
configuration error).

I tried a root directory that was only anonymous, a vdir that was only
Windows Auth, and a physical directory under root. All were mapping to local
file system (the exact same files, actually) and default ACLs under wwwroot,
and I had no problems navigating between the three URLs, starting from root,
then vdir, and finally physical directory. At no time was I even asked for
authentication when my user identity was recognized on the machine -- which
is what I'm expecting.

Please give:
1. the minimum necessary configuration to reproduce the problem
2. Exact sequence of URL requests that trigger the issue
3. the exact authentication allowed at all relevant URL involved in #2, and
whether the physical directory is UNC or local filesystem
4. the exact NTFS ACLs on all content involved in #2
5. Log file illustrating the HTTP status and Win32 error codes of all the
requests involved in #2
6. Is this in a domain or stand-alone, and is this on the DC or not.

The log file for the sequence that results in unexpected logon dialog box as
well as NTFS ACLs on the content will be helpful info. My suspicion right
now is that:
1. Cold Fusion is somehow involved, as it has vdirs, ISAPI Filter, and ISAPI
Extension installed, all of which can modify server behavior in arbitrary
manners
2. Inconsistent/incorrect ACLs on the files causing 401 to always be
returned, which causes the client to pop up the login dialog box 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Evan B" <borysko@lis.fsu.edu> wrote in message
news:ac7101c406f6$27bfa8d0$a101280a@phx.gbl...
My Setup goes as follows:
www.mydomain.com - root directory
|-<virtual directory 1>- mapped to a physical drive on this machine
|-<virtual directory 2>- mapped to a physical drive on this machine.
Windows Auth. Integration(no anonymous user) - groups assigned
permissions
|-directory 1- under site root (no authentication needed to browse)
|-directory 2- under site root. Windows Auth. Integration(no anonymous
user)- groups assign read privileges
|-directory 3- under site root (no authentication needed to browse)
|+
  |- admin - restrict directory to provide admin to for a web-based app.
(Windows Auth. Integration used)(no anonymous user).
... etc.
Now when this setup exists I get the unusual logon window no matter want
client or computer I test from.
The one of virtual diectories is apart of Coldfusion integration and
administration. the other is a simple mapping to another location on the C:\
drive.
I decide to test the setup process again, but this time I left out the
virtual
directories. the result was that everything worked fine. Soon as I add the
virtual directories and try to set Windows Auth. Integration and uncheck the
anonymous user logon, the error begins to occur on the other directories.
So my problem still exists, when virtual directories and authentication are
configured the web site. It seems to be related to the presences of virtual
directories with security. I doubled check that the permission where correct
of the virtual directories (IUSR_ could access them.)
This might be a bug?
>-----Original Message-----
>There are a variety of client-side pre-authentication optimizations that
get
>confused when your website does not have uniform authentication.
>
>If you disable anonymous and enable Windows Authentication for the root
>directory such that your entire website is Windows Auth only, this issue
>will probably disappear.  If the issue does disappear, it's a client issue.
>
>If it does not disappear with uniform authentication, then please describe
>more clearly your setup.
>
>I do not understand what you are describing here:
>> - then on one physical directory I remove the anonymous access
property,
>> and then on the two virtual directories. I test test those directories,
>the
>> assigned Groups members are able to access them.
>
>How can you remove anonymous access property on a physical directory.
>
>This is what I understand from your description:
>
>Website
>/ - Anonymous enabled (any other authentication enabled?)
>/vdir1 - Integrated enabled
>/vdir2 - Integrated Enabled
>/sibling - not a vdir, so inheriting settings from /
>
>Request Sequence:
>/
>/vdir1/
>/vdir2/
><Remove anonymous from /vdir2>
>/vdir2/
>/sibling/
><the access to / now requires a login>
>
>-- 
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and confers no rights.
>//
>"Evan B" <borysko@lis.fsu.edu> wrote in message
>news:FB048A3D-D9F8-46E6-B2AE-9670FDB9D5F9@microsoft.com...
>IIS 6 has been giving me some strange behaviors on a website who's root
>directory is enabled for anonymous access and when only some child
>directories are enabled with Windows intergrated authentication.
>
>To test my problem I've recreated the site three times. As follows:
>- created new site
>- add two read-only virtual directories
>- load SSL certificate for the domain
>At this point I test that all the directories are acessible via HTTP and
>HTTPS
>
>- then on one physical directory I remove the anonymous access property,
and
>then on the two virtual directories
>I test test those directories, the assigned Groups members are able to
>access them.
>
>But, now when I return to the other directories on the root, they too are
>requesting authentication. And they are not suppose to be.
>
>I'm not sure what else to do, some please help!
>
>
>.
>