Re: Digest Authentication
From: Kim Lots (nomail_at_forme.com)
Date: 05/09/04
- Next message: Alan Garny: "Re: IIS - SMTP - CDONTS"
- Previous message: Kim Lots: "Re: NTFS permissions"
- In reply to: Kim Lots: "Re: Digest Authentication"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 09 May 2004 09:35:49 GMT
Hi
I think I solved the problem.
I have worked trough the instructions on this page
http://support.microsoft.com/default.aspx?scid=kb;EN-US;271071
again. And missed the fact that I also had to change registry key
for W3SVS last time.
I want to thank you with all my heart for the time you have
spent on my problem. Without you and your likes there would not
have been any pages on the www :-)
Take care. This tread is closed..
Kim
On Sun, 09 May 2004 06:59:50 GMT, Kim Lots <nomail@forme.com> wrote:
>Hallo - had to get some sleep before my eyes popped out..
>
>Sorry to say that things are the same. Anonymous visitors to the
>website still get the u/p dialog box.
>
>I have been testing back and forth. When I for instance put any other
>user/group than IUSR as anonymous user account then It works and no
>u/p dialog box is presented? But when I put the IUSR back the dialog
>box pops up again asking for credentials?
>
>Here are some other things that might effect.
>
>1 I'm testing the web server from a client on the local network
>
>2 Event ID 36 Source W3SVS
>The server failed to load application '/LM/W3SVC/1/Root'.
>The error was 'General access denied error
>
>3 Event ID 101 Source W3SVS
>The server was unable to add the virtual root '/webconfig' for the
>directory 'G:\webconfig' due to the following error: Access is denied.
>And I got a red stop sign on this virtual directory.
>
>4 Event ID 10001 Source DCOM
>Unable to start a DCOM Server: {99169CB1-A707-11D0-989D-00C04FD919C1}
>as ./IWAM_P3. The error:
>"Access is denied. "
>Happened while starting this command:
>C:\WINNT\system32\dllhost.exe
>/Processid:{3D14228D-FBE1-11D0-995D-00C04FD919C1}
>
>
>Any other suggestions highly appreciated - Tia
>
>
>
>
>On Sun, 9 May 2004 01:05:17 +1000, "Ken Schaefer"
><kenREMOVE@THISadOpenStatic.com> wrote:
>
>>Hi,
>>
>>Seems like either IIS is using the wrong user account -or- IIS doesn't have
>>the current password for that account.
>>
>>Easiest way to fix this might be the following:
>>
>>a) Open IIS Manager, right-click folder -> security
>>b) Edit authentication methods
>>c) Where the anonymous user account is, choose "Browse", and locate the
>>IUSR_<machinename> account
>>d) Make sure "allow IIS to control password" is checked
>>e) Click OK to exit out of all the dialogues
>>f) restart IIS (just to be certain)
>>
>>IIS should now pick up the password for the configured anonymous user
>>account, and (hopefully) everything will be OK. If not, something more
>>serious is wrong.
>>
>>Cheers
>>Ken
>>
>>"Kim Lots" <nomail@forme.com> wrote in message
>>news:hdqp90tso46nr3v8kivcecje97m9ghs1s5@4ax.com...
>>: Hi
>>:
>>: Yes you are right! There is a whole lot of the following
>>:
>>: Event ID 100
>>: Source W3SVC
>>: Description
>>:
>>: The server was unable to logon the Windows NT account 'P3\IUSR_P3' due
>>: to the following error: Logon failure: unknown user name or bad
>>: password. The data is the error code.
>>:
>>:
>>: Hope you have a solution for this.
>>:
>>: thanks again
>>:
>>:
>>: On Sat, 8 May 2004 23:47:31 +1000, "Ken Schaefer"
>>: <kenREMOVE@THISadOpenStatic.com> wrote:
>>:
>>: >Please look in the WIndows Event Log (Start -> Settings -> Control
>>Panel ->
>>: >Admin Tools -> Event Viewer). Do you see any errors? If so, please post
>>the
>>: >Event ID, Event Source and Description.
>>: >
>>: >It sounds like IIS is having problems impersonating the IUSR account, and
>>: >because it can't do so, it is asking the user to supply alternate valid
>>: >credentials.
>>: >
>>: >a) In IIS, you do not need Script Source or Write permissions unless you
>>: >using WebDAV. Enabling these things is a security risk (it allows people
>>to
>>: >write files to your server, and access the source code of ASP files etc)
>>: >
>>: >b) the IUSR and IWAM accounts should have NTFS Read (RX) permission only,
>>: >not NTFS Write permissions. Easiest thing to do is to just give the
>>: >Everyone group Read (RX) permissions.
>>: >
>>: >Cheers
>>: >Ken
>>: >
>>: >"Kim Lots" <nomail@forme.com> wrote in message
>>: >news:aiop90tn8e3cq1mc7nu1j47qr94ggeci6f@4ax.com...
>>: >: Hi again!
>>: >:
>>: >: And thanks for your answer, but I'm nearly giving up and I need your
>>: >: help pls..
>>: >:
>>: >: I know I have messed things up. And to correct the whole thing I have
>>: >: read the instructions
>>: >: on http://support.microsoft.com/?id=310344 &
>>: >: http://support.microsoft.com/?id=301457
>>: >: and followed the instructions at
>>: >: http://support.microsoft.com/default.aspx?scid=kb;EN-US;271071
>>: >:
>>: >: But the users still get the ENTER NETWORK PASSWORD dialog box
>>: >:
>>: >: What is wrong??
>>: >:
>>: >: Folder properties
>>: >:
>>: >: Admin full
>>: >: Creator Owner full
>>: >: Everyone Read & execute
>>: >: Internet guest account x\IUSR read write
>>: >: Launch IIS process Account x\IWAM Read & execute, list, read
>>: >: NETWORK read & execute
>>: >: SYSTEM full
>>: >:
>>: >:
>>: >: IIS 5.x console properties for the virtual directory which is an
>>: >: application.
>>: >:
>>: >: Scripts source access
>>: >: read
>>: >: write
>>: >:
>>: >: Directory security tab - edit
>>: >:
>>: >: Anonymous box checked and anonymous user account x\IUSR with some
>>: >: password I didn't choose. And basic authen..and integreted windows
>>: >: boxes NOT checked. But the Digest authentication for windows domain is
>>: >: checked and outgrayed, but this has no importance according to your
>>: >: replay
>>: >:
>>: >: What have I overlooked?
>>: >:
>>: >: Thanks again
>>: >:
>>: >:
>>: >:
>>: >:
>>: >:
>>: >:
>>: >: On Sat, 8 May 2004 20:47:20 +1000, "Ken Schaefer"
>>: >: <kenREMOVE@THISadOpenStatic.com> wrote:
>>: >:
>>: >: >Hi,
>>: >: >
>>: >: >If you are using a stand alone server that is not part of a Windows
>>: >Domain,
>>: >: >then you can not use Digest Authentication. Digest Authentication can
>>: >only
>>: >: >be used for Domain accounts, which requires the server to be part of a
>>: >: >Windows Domain.
>>: >: >
>>: >: >You should not need "Script Source Access", nor Write unless you are
>>: >using
>>: >: >WebDAV publishing. Otherwise, leaving this on is a security risk.
>>: >: >
>>: >: >To enable anonymous access, you need to check the "Allow Anonymous
>>: >Access"
>>: >: >box. THis means IIS impersonates the configured anonymous user
>>account.
>>: >: >Otherwise, if you turn this off, the user must manually provide user
>>: >: >credentials.
>>: >: >
>>: >: >For writing to databases, it depends on the database. If you are
>>talking
>>: >: >about an *access* database, or similar file-based database, then
>>"yes",
>>: >the
>>: >: >account being impersonated by IIS (Anonymous User, or otherwise) needs
>>: >: >appropriate permissions to the file, and the folder that the file is
>>in.
>>: >For
>>: >: >Access, the account needs Read and Write, and Creator/Owner should
>>have
>>: >: >"Full Control". There is no requirement that this folder be inside the
>>: >: >webroot. It would be safer to store it outside the Webroot.
>>: >: >
>>: >: >Cheers
>>: >: >Ken
>>: >: >
>>: >: >"Kim Lots" <nomail@forme.com> wrote in message
>>: >: >news:obbp905mma9l1qe4g53kbkuff3g4jnb8c6@4ax.com...
>>: >: >: Hi
>>: >: >:
>>: >: >: I'm running IIS 5.x on a stand-alone windows 2000 pro connected to
>>the
>>: >: >: internet with all the latest security patches installed and using
>>Zone
>>: >: >: Alarm Pro as firewall. I have no PDC or BDC for that matter.
>>: >: >:
>>: >: >: When I check the box Integrated Windows authentication in the
>>: >: >: authentication window it takes forever to load the asp 3.0 page. But
>>: >: >: when I check the box Basic authentication.. instead the asp pages
>>: >: >: loads almost immediately. The box Digest Authentication is checked
>>but
>>: >: >: grayed out and cannot be changed at least not from this window.
>>: >: >:
>>: >: >: My first question. Am I running an Active Directory Server? As I
>>have
>>: >: >: read that this has something to do with Digest Authentication. I
>>don't
>>: >: >: think so but how can I disable it. And is this the reason for the
>>lag?
>>: >: >:
>>: >: >: Here are the NTFS permissions on the folder which is not buy the way
>>: >: >: is located under wwwroot but on an other partition
>>: >: >:
>>: >: >: Admin full
>>: >: >: IUSR read & execute & write
>>: >: >: IWAM read & execute & write
>>: >: >: NETWORK read & execute
>>: >: >: SYSTEM full
>>: >: >:
>>: >: >:
>>: >: >: Here are some particulars for the Virtual Directory
>>: >: >:
>>: >: >: The designated directory
>>: >: >:
>>: >: >: Scripts source access
>>: >: >: read
>>: >: >: write
>>: >: >:
>>: >: >: This is NOT an application but a more secure folder under the root.
>>: >: >: Execute permissions Scripts Only
>>: >: >:
>>: >: >: My second questing is. Why does the users/clients get the login
>>: >: >: window? Didn't I give the permissions
>>: >: >: for anonymous access to the website with above settings?
>>: >: >:
>>: >: >: My third second question which might not belong here but I'm trying:
>>: >: >: Does asp pages writing to a database always need the write
>>permission
>>: >: >: on the folder & virtual directory?
>>: >: >:
>>: >: >: Many thanks for your reply and attention to this matter on
>>beforehand.
>>: >: >:
>>: >: >:
>>: >: >:
>>: >: >:
>>: >: >:
>>: >: >
>>: >:
>>: >
>>:
>>
- Next message: Alan Garny: "Re: IIS - SMTP - CDONTS"
- Previous message: Kim Lots: "Re: NTFS permissions"
- In reply to: Kim Lots: "Re: Digest Authentication"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
