IIS 6 and ACL entries
From: Tim Berk (TimBerk_at_discussions.microsoft.com)
Date: 03/17/05
- Next message: Jeff Cochran: "Re: IIS On Local Network !"
- Previous message: Matt Norton: "aspx files randomly show as 404 errors when they're actually there"
- Next in thread: Bernard: "Re: IIS 6 and ACL entries"
- Reply: Bernard: "Re: IIS 6 and ACL entries"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 17 Mar 2005 12:51:04 -0800
Hello all,
I am having a problem with IIS 6 and ACL's. I have a webDAV folder setup
with windows integrated and digest authentication. I am trying to tighten
down the security so that only a few users can access this folder. I have 2
user accounts which are able to access the folder with the correct level of
permission. I have some other user accounts with the exact same permissions
(I have checked and rechecked this repeatedly) and group membership and they
are unable to access this folder. They recieve a "HTTP Error 401.3 -
Unauthorized: Access is denied due to an ACL set on the requested resource",
which is not the case. I can actually copy one of the working user accounts
and it won't access the folder. THe content is hosted on a remote file
server. I have the delegation of credentials set properly. I have enabled
auditing on the file server where the folder resides and the audit log shows
entries when the working user accounts are used, but nothing when one of the
non-working user accounts is used. No success, no Failure, no anything, as if
the request never made it to the file server. In the security log of the
domain controller, both the "good_user" and the "bad_user" are recording
successful account log on events, so it is not an authentication issue. In
the web server log, all the requests are logged with some differences. A
successful request looks something like this:
2005-03-17 00:28:42 xxx.xxx.xx.xxx GET /windyriver/ - 80 DOMAIN\good_user
xxx.xxx.xx.xxx
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
200 0 0
An unsucessful request looks something like this:
2005-03-17 02:06:15 xxx.xxx.xx.xxx GET /windyriver - 80 DOMAIN\bad_user
xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 401 3 5
THe difference seems to be the trailing slash '/' after the GET request, but
I am not sure what to make of that. I have tried this from outside the
firewall, inside from the LAN and from the console of the web server (by
right-clicking the virtual directory and selecting "browse") and I get the
same results every time. My question is why is the web server not using the
entries from the ACL consistently? Why is there no entry for a failed request
in the audit log of the file server? What am I missing here?
Thanks in advance!
tb
- Next message: Jeff Cochran: "Re: IIS On Local Network !"
- Previous message: Matt Norton: "aspx files randomly show as 404 errors when they're actually there"
- Next in thread: Bernard: "Re: IIS 6 and ACL entries"
- Reply: Bernard: "Re: IIS 6 and ACL entries"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
