Re: IIS 6 and ACL entries
From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 03/18/05
- Next message: Ken Schaefer: "Re: exe and rdp extensions will not work- 404.2 error"
- Previous message: Bernard: "Re: aspx files randomly show as 404 errors when they're actually there"
- In reply to: Tim Berk: "IIS 6 and ACL entries"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 18 Mar 2005 10:47:37 +0800
Mmm.. not too sure. I would suggest you get filemon (sysinternals.com) and
trace the access error.
-- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ "Tim Berk" <TimBerk@discussions.microsoft.com> wrote in message news:90E83201-5052-4DC4-AF46-A715350BEF71@microsoft.com... > Hello all, > > I am having a problem with IIS 6 and ACL's. I have a webDAV folder setup > with windows integrated and digest authentication. I am trying to tighten > down the security so that only a few users can access this folder. I have > 2 > user accounts which are able to access the folder with the correct level > of > permission. I have some other user accounts with the exact same > permissions > (I have checked and rechecked this repeatedly) and group membership and > they > are unable to access this folder. They recieve a "HTTP Error 401.3 - > Unauthorized: Access is denied due to an ACL set on the requested > resource", > which is not the case. I can actually copy one of the working user > accounts > and it won't access the folder. THe content is hosted on a remote file > server. I have the delegation of credentials set properly. I have enabled > auditing on the file server where the folder resides and the audit log > shows > entries when the working user accounts are used, but nothing when one of > the > non-working user accounts is used. No success, no Failure, no anything, as > if > the request never made it to the file server. In the security log of the > domain controller, both the "good_user" and the "bad_user" are recording > successful account log on events, so it is not an authentication issue. In > the web server log, all the requests are logged with some differences. A > successful request looks something like this: > > 2005-03-17 00:28:42 xxx.xxx.xx.xxx GET /windyriver/ - 80 DOMAIN\good_user > xxx.xxx.xx.xxx > Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) > 200 0 0 > > An unsucessful request looks something like this: > > 2005-03-17 02:06:15 xxx.xxx.xx.xxx GET /windyriver - 80 DOMAIN\bad_user > xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 401 > 3 5 > > THe difference seems to be the trailing slash '/' after the GET request, > but > I am not sure what to make of that. I have tried this from outside the > firewall, inside from the LAN and from the console of the web server (by > right-clicking the virtual directory and selecting "browse") and I get the > same results every time. My question is why is the web server not using > the > entries from the ACL consistently? Why is there no entry for a failed > request > in the audit log of the file server? What am I missing here? > > Thanks in advance! > > tb
- Next message: Ken Schaefer: "Re: exe and rdp extensions will not work- 404.2 error"
- Previous message: Bernard: "Re: aspx files randomly show as 404 errors when they're actually there"
- In reply to: Tim Berk: "IIS 6 and ACL entries"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
