Re: IIS on Domain Controller = Authorization Problem

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/25/05

Next message: Kristofer Gafvert: "Re: Directory Name Hyphen and URLScan"
Previous message: Kristofer Gafvert: "Re: Page Cannot Be Displayed Errors"
In reply to: anonymous_at_discussions.microsoft.com: "Re: IIS on Domain Controller = Authorization Problem"
Next in thread: anonymous_at_discussions.microsoft.com: "Re: IIS on Domain Controller = Authorization Problem"
Reply: anonymous_at_discussions.microsoft.com: "Re: IIS on Domain Controller = Authorization Problem"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 25 Mar 2005 01:32:50 -0800

If you get 401.3, it means that IIS successfully authenticated with some
account, but that account lacks NTFS permissions on the requested resource.

FYI: A common misconception that enabling "Anonymous authentication" should
prevent "Access Denied" from ever showing up. It is clearly incorrect. All
Anonymous authentication means is that IIS will use a configurable user
identity to access resources for all requests, no authentication required.
Thus, it is still possible to set NTFS ACLs to deny this configurable user
identity access to resources, which results in 401.3 for anonymous access.

I believe you are in that state right now. Make sure you have no other
authentication enabled, other than anonymous (so you are certain the
configured anonymous user is used). Then, make sure that this configured
user actually has NTFS ACLs on the resources being accessed.

Reinstalling IIS can cause the user account to be re-created (but with a
different SID), so ACLs may be incorrect.

Also, IIS6 really was not desigend to run on a domain controller (too many
critical breaking changes from a DC, including the process of DCPROMO simply
does not work well with uninstall/re-installing IIS6). Most
install/uninstall scenarios simply do not work by default due to wrong
ACLs -- this scenario simply was not planned for until the very end, so we
really could not spend the time to make it work. It may be that it is not
possible to get IIS6 working again on your machine. You really should not
uninstall/reinstall IIS6 lightly, especially on a DC if you know that
ACL/security rules are different and some simply break IIS6.

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<anonymous@discussions.microsoft.com> wrote in message
news:115001c53116$1798f970$a401280a@phx.gbl...
I have checked all of the permissions on the URL but it
didn't help...
>-----Original Message-----
>"Hakan Ozcan" <anonymous@discussions.microsoft.com> wrote
in message
>news:181501c5310b$a5f957b0$a601280a@phx.gbl...
>> We have only one domain controller (Win Server 2003 Ent.
>> Ed.) in our network and we also have installed IIS 6.0
on
>> it. It was working well till we made some changes that
>> caused us to uninstall and reinstall IIS. After that the
>> problem occured: there were no access to our web server.
>> The current settings about permission are the default
>> settings which come when you fist install IIS. Let me
tell
>> you what happens when we try to access our webserver
from
>> Internet Explorer: The secondary logon screen comes
asking
>> for a user name and pass. When i enter the admin user
and
>> pass and try for 3 times this message comes "HTTP Error
>> 401.3 - Unauthorized: Access is denied due to an ACL set
>> on the requested resource." That's not the case becuse
the
>> sertver is open to anonymous access.
>
>That's possibly because the ACL on your NTFS does not
allow IIS.
>you need to fix your webfolders first...
>http://support.microsoft.com/?id=812614
>
>> I guess there is sth about the server being also a DC.
>> Maybe it is about Group Policies but I couldn't manage
to
>> find a solution. Please help me. I hope I could clearly
>> define the problem.
>
>.
>

Next message: Kristofer Gafvert: "Re: Directory Name Hyphen and URLScan"
Previous message: Kristofer Gafvert: "Re: Page Cannot Be Displayed Errors"
In reply to: anonymous_at_discussions.microsoft.com: "Re: IIS on Domain Controller = Authorization Problem"
Next in thread: anonymous_at_discussions.microsoft.com: "Re: IIS on Domain Controller = Authorization Problem"
Reply: anonymous_at_discussions.microsoft.com: "Re: IIS on Domain Controller = Authorization Problem"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Limit some users?
... authentication (they do not like running arbitrary binaries on their servers ... I suggest you only allow IIS to serve content from a NTFS partition. ... One way to do this would be to apply NTFS permissions on the web content. ...
(microsoft.public.inetserver.iis.security)
Re: Setting up a web dev. test server with remote access
... NTFS will have to be used. ... Use Basic Authentication for the logins. ... >inactivating the anonymous account for IIS, ...
(microsoft.public.inetserver.iis)
Re: Total Confusion! - ACLs and Windows authentication with no impersonation
... permissions are checked, and not in IIS. ... account - regardless of the impersonation settings. ... You have aspx pages..and you have the resources this page wants to get at. ... When anonymous authentication is disabled, yes the page itself MUST have ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: IIS 5 looses authenticated user
... We are using NTFS Permissions. ... > are you using IIS authentication? ... > then authentication if any, then web permission, and finally ntfs ...
(microsoft.public.inetserver.iis.security)
Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
(microsoft.public.dotnet.framework.aspnet.security)