Re: Digest Authentication
From: Kim Lots (nomail_at_forme.com)
Date: 05/09/04
- Next message: PFRERE: "Re: IIS 5 + ASP.NET + SUS 1.0 SP1 = unable to run & debug ASN.NET application"
- Previous message: Thomas Ladu: "Re: Disabled HTTP PUT command since latest windows updates?"
- In reply to: Ken Schaefer: "Re: Digest Authentication"
- Next in thread: Kim Lots: "Re: Digest Authentication"
- Reply: Kim Lots: "Re: Digest Authentication"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 09 May 2004 06:59:50 GMT
Hallo - had to get some sleep before my eyes popped out..
Sorry to say that things are the same. Anonymous visitors to the
website still get the u/p dialog box.
I have been testing back and forth. When I for instance put any other
user/group than IUSR as anonymous user account then It works and no
u/p dialog box is presented? But when I put the IUSR back the dialog
box pops up again asking for credentials?
Here are some other things that might effect.
1 I'm testing the web server from a client on the local network
2 Event ID 36 Source W3SVS
The server failed to load application '/LM/W3SVC/1/Root'.
The error was 'General access denied error
3 Event ID 101 Source W3SVS
The server was unable to add the virtual root '/webconfig' for the
directory 'G:\webconfig' due to the following error: Access is denied.
And I got a red stop sign on this virtual directory.
4 Event ID 10001 Source DCOM
Unable to start a DCOM Server: {99169CB1-A707-11D0-989D-00C04FD919C1}
as ./IWAM_P3. The error:
"Access is denied. "
Happened while starting this command:
C:\WINNT\system32\dllhost.exe
/Processid:{3D14228D-FBE1-11D0-995D-00C04FD919C1}
Any other suggestions highly appreciated - Tia
On Sun, 9 May 2004 01:05:17 +1000, "Ken Schaefer"
<kenREMOVE@THISadOpenStatic.com> wrote:
>Hi,
>
>Seems like either IIS is using the wrong user account -or- IIS doesn't have
>the current password for that account.
>
>Easiest way to fix this might be the following:
>
>a) Open IIS Manager, right-click folder -> security
>b) Edit authentication methods
>c) Where the anonymous user account is, choose "Browse", and locate the
>IUSR_<machinename> account
>d) Make sure "allow IIS to control password" is checked
>e) Click OK to exit out of all the dialogues
>f) restart IIS (just to be certain)
>
>IIS should now pick up the password for the configured anonymous user
>account, and (hopefully) everything will be OK. If not, something more
>serious is wrong.
>
>Cheers
>Ken
>
>"Kim Lots" <nomail@forme.com> wrote in message
>news:hdqp90tso46nr3v8kivcecje97m9ghs1s5@4ax.com...
>: Hi
>:
>: Yes you are right! There is a whole lot of the following
>:
>: Event ID 100
>: Source W3SVC
>: Description
>:
>: The server was unable to logon the Windows NT account 'P3\IUSR_P3' due
>: to the following error: Logon failure: unknown user name or bad
>: password. The data is the error code.
>:
>:
>: Hope you have a solution for this.
>:
>: thanks again
>:
>:
>: On Sat, 8 May 2004 23:47:31 +1000, "Ken Schaefer"
>: <kenREMOVE@THISadOpenStatic.com> wrote:
>:
>: >Please look in the WIndows Event Log (Start -> Settings -> Control
>Panel ->
>: >Admin Tools -> Event Viewer). Do you see any errors? If so, please post
>the
>: >Event ID, Event Source and Description.
>: >
>: >It sounds like IIS is having problems impersonating the IUSR account, and
>: >because it can't do so, it is asking the user to supply alternate valid
>: >credentials.
>: >
>: >a) In IIS, you do not need Script Source or Write permissions unless you
>: >using WebDAV. Enabling these things is a security risk (it allows people
>to
>: >write files to your server, and access the source code of ASP files etc)
>: >
>: >b) the IUSR and IWAM accounts should have NTFS Read (RX) permission only,
>: >not NTFS Write permissions. Easiest thing to do is to just give the
>: >Everyone group Read (RX) permissions.
>: >
>: >Cheers
>: >Ken
>: >
>: >"Kim Lots" <nomail@forme.com> wrote in message
>: >news:aiop90tn8e3cq1mc7nu1j47qr94ggeci6f@4ax.com...
>: >: Hi again!
>: >:
>: >: And thanks for your answer, but I'm nearly giving up and I need your
>: >: help pls..
>: >:
>: >: I know I have messed things up. And to correct the whole thing I have
>: >: read the instructions
>: >: on http://support.microsoft.com/?id=310344 &
>: >: http://support.microsoft.com/?id=301457
>: >: and followed the instructions at
>: >: http://support.microsoft.com/default.aspx?scid=kb;EN-US;271071
>: >:
>: >: But the users still get the ENTER NETWORK PASSWORD dialog box
>: >:
>: >: What is wrong??
>: >:
>: >: Folder properties
>: >:
>: >: Admin full
>: >: Creator Owner full
>: >: Everyone Read & execute
>: >: Internet guest account x\IUSR read write
>: >: Launch IIS process Account x\IWAM Read & execute, list, read
>: >: NETWORK read & execute
>: >: SYSTEM full
>: >:
>: >:
>: >: IIS 5.x console properties for the virtual directory which is an
>: >: application.
>: >:
>: >: Scripts source access
>: >: read
>: >: write
>: >:
>: >: Directory security tab - edit
>: >:
>: >: Anonymous box checked and anonymous user account x\IUSR with some
>: >: password I didn't choose. And basic authen..and integreted windows
>: >: boxes NOT checked. But the Digest authentication for windows domain is
>: >: checked and outgrayed, but this has no importance according to your
>: >: replay
>: >:
>: >: What have I overlooked?
>: >:
>: >: Thanks again
>: >:
>: >:
>: >:
>: >:
>: >:
>: >:
>: >: On Sat, 8 May 2004 20:47:20 +1000, "Ken Schaefer"
>: >: <kenREMOVE@THISadOpenStatic.com> wrote:
>: >:
>: >: >Hi,
>: >: >
>: >: >If you are using a stand alone server that is not part of a Windows
>: >Domain,
>: >: >then you can not use Digest Authentication. Digest Authentication can
>: >only
>: >: >be used for Domain accounts, which requires the server to be part of a
>: >: >Windows Domain.
>: >: >
>: >: >You should not need "Script Source Access", nor Write unless you are
>: >using
>: >: >WebDAV publishing. Otherwise, leaving this on is a security risk.
>: >: >
>: >: >To enable anonymous access, you need to check the "Allow Anonymous
>: >Access"
>: >: >box. THis means IIS impersonates the configured anonymous user
>account.
>: >: >Otherwise, if you turn this off, the user must manually provide user
>: >: >credentials.
>: >: >
>: >: >For writing to databases, it depends on the database. If you are
>talking
>: >: >about an *access* database, or similar file-based database, then
>"yes",
>: >the
>: >: >account being impersonated by IIS (Anonymous User, or otherwise) needs
>: >: >appropriate permissions to the file, and the folder that the file is
>in.
>: >For
>: >: >Access, the account needs Read and Write, and Creator/Owner should
>have
>: >: >"Full Control". There is no requirement that this folder be inside the
>: >: >webroot. It would be safer to store it outside the Webroot.
>: >: >
>: >: >Cheers
>: >: >Ken
>: >: >
>: >: >"Kim Lots" <nomail@forme.com> wrote in message
>: >: >news:obbp905mma9l1qe4g53kbkuff3g4jnb8c6@4ax.com...
>: >: >: Hi
>: >: >:
>: >: >: I'm running IIS 5.x on a stand-alone windows 2000 pro connected to
>the
>: >: >: internet with all the latest security patches installed and using
>Zone
>: >: >: Alarm Pro as firewall. I have no PDC or BDC for that matter.
>: >: >:
>: >: >: When I check the box Integrated Windows authentication in the
>: >: >: authentication window it takes forever to load the asp 3.0 page. But
>: >: >: when I check the box Basic authentication.. instead the asp pages
>: >: >: loads almost immediately. The box Digest Authentication is checked
>but
>: >: >: grayed out and cannot be changed at least not from this window.
>: >: >:
>: >: >: My first question. Am I running an Active Directory Server? As I
>have
>: >: >: read that this has something to do with Digest Authentication. I
>don't
>: >: >: think so but how can I disable it. And is this the reason for the
>lag?
>: >: >:
>: >: >: Here are the NTFS permissions on the folder which is not buy the way
>: >: >: is located under wwwroot but on an other partition
>: >: >:
>: >: >: Admin full
>: >: >: IUSR read & execute & write
>: >: >: IWAM read & execute & write
>: >: >: NETWORK read & execute
>: >: >: SYSTEM full
>: >: >:
>: >: >:
>: >: >: Here are some particulars for the Virtual Directory
>: >: >:
>: >: >: The designated directory
>: >: >:
>: >: >: Scripts source access
>: >: >: read
>: >: >: write
>: >: >:
>: >: >: This is NOT an application but a more secure folder under the root.
>: >: >: Execute permissions Scripts Only
>: >: >:
>: >: >: My second questing is. Why does the users/clients get the login
>: >: >: window? Didn't I give the permissions
>: >: >: for anonymous access to the website with above settings?
>: >: >:
>: >: >: My third second question which might not belong here but I'm trying:
>: >: >: Does asp pages writing to a database always need the write
>permission
>: >: >: on the folder & virtual directory?
>: >: >:
>: >: >: Many thanks for your reply and attention to this matter on
>beforehand.
>: >: >:
>: >: >:
>: >: >:
>: >: >:
>: >: >:
>: >: >
>: >:
>: >
>:
>
- Next message: PFRERE: "Re: IIS 5 + ASP.NET + SUS 1.0 SP1 = unable to run & debug ASN.NET application"
- Previous message: Thomas Ladu: "Re: Disabled HTTP PUT command since latest windows updates?"
- In reply to: Ken Schaefer: "Re: Digest Authentication"
- Next in thread: Kim Lots: "Re: Digest Authentication"
- Reply: Kim Lots: "Re: Digest Authentication"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
