Re: IIS on Domain Controller = Authorization Problem

Tech-Archive recommends: Speed Up your PC by fixing your registry

anonymous_at_discussions.microsoft.com
Date: 03/25/05 

Date: Fri, 25 Mar 2005 02:07:07 -0800

Thanks Mr. Wang,
The problem is solved. Your messeges was very helpful. It
was the SIDs. After I removed and added the
IUSR_MachineName user to the ACLs I could enter the site.
Thank you very much...

>-----Original Message-----
>If you get 401.3, it means that IIS successfully
authenticated with some
>account, but that account lacks NTFS permissions on the
requested resource.
>
>FYI: A common misconception that enabling "Anonymous
authentication" should
>prevent "Access Denied" from ever showing up. It is
clearly incorrect. All
>Anonymous authentication means is that IIS will use a
configurable user
>identity to access resources for all requests, no
authentication required.
>Thus, it is still possible to set NTFS ACLs to deny this
configurable user
>identity access to resources, which results in 401.3 for
anonymous access.
>
>I believe you are in that state right now. Make sure you
have no other
>authentication enabled, other than anonymous (so you are
certain the
>configured anonymous user is used). Then, make sure that
this configured
>user actually has NTFS ACLs on the resources being
accessed.
>
>Reinstalling IIS can cause the user account to be re-
created (but with a
>different SID), so ACLs may be incorrect.
>
>Also, IIS6 really was not desigend to run on a domain
controller (too many
>critical breaking changes from a DC, including the
process of DCPROMO simply
>does not work well with uninstall/re-installing IIS6).
Most
>install/uninstall scenarios simply do not work by default
due to wrong
>ACLs -- this scenario simply was not planned for until
the very end, so we
>really could not spend the time to make it work. It may
be that it is not
>possible to get IIS6 working again on your machine. You
really should not
>uninstall/reinstall IIS6 lightly, especially on a DC if
you know that
>ACL/security rules are different and some simply break
IIS6.
>
>--
>//David
>IIS
>http://blogs.msdn.com/David.Wang
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
><anonymous@discussions.microsoft.com> wrote in message
>news:115001c53116$1798f970$a401280a@phx.gbl...
>I have checked all of the permissions on the URL but it
>didn't help...
>
>>-----Original Message-----
>>"Hakan Ozcan" <anonymous@discussions.microsoft.com> wrote
>in message
>>news:181501c5310b$a5f957b0$a601280a@phx.gbl...
>>> We have only one domain controller (Win Server 2003
Ent.
>>> Ed.) in our network and we also have installed IIS 6.0
>on
>>> it. It was working well till we made some changes that
>>> caused us to uninstall and reinstall IIS. After that
the
>>> problem occured: there were no access to our web
server.
>>> The current settings about permission are the default
>>> settings which come when you fist install IIS. Let me
>tell
>>> you what happens when we try to access our webserver
>from
>>> Internet Explorer: The secondary logon screen comes
>asking
>>> for a user name and pass. When i enter the admin user
>and
>>> pass and try for 3 times this message comes "HTTP Error
>>> 401.3 - Unauthorized: Access is denied due to an ACL
set
>>> on the requested resource." That's not the case becuse
>the
>>> sertver is open to anonymous access.
>>
>>That's possibly because the ACL on your NTFS does not
>allow IIS.
>>you need to fix your webfolders first...
>>http://support.microsoft.com/?id=812614
>>
>>> I guess there is sth about the server being also a DC.
>>> Maybe it is about Group Policies but I couldn't manage
>to
>>> find a solution. Please help me. I hope I could clearly
>>> define the problem.
>>
>>.
>>
>
>
>.
>

Relevant Pages

  • Re: Script access - IIS 6
    ... ACLs from those default web directories. ... The Resource (like the script itself) and the ScriptMap Engine (and ... is IUSR) for anonymous and the logged in user for any other authentication ... I have reset the ACL to allow anonymous access and everything works. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS integrated window authentication allows anybody
    ... I presume that your web-accessible resources are located on NTFS filesystem ... to enforce ACLs; requiring authentication for resources located on FAT32 is ... Disabling Anonymous and enabling Integrated authentication should work to ...
    (microsoft.public.inetserver.iis.security)
  • Re: Script access - IIS 6
    ... I am confused by your use of ScriptMap and ScriptMap Engine. ... > ACLs from those default web directories. ... > associated resources) must be accessible to the remote authenticated user ... >> I have used Basic and Windows Integrated Authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Script access - IIS 6
    ... > ACLs from those default web directories. ... > I have reset the ACL to allow anonymous access and everything works. ... >> I have used Basic and Windows Integrated Authentication. ... >> ScriptEngine. ...
    (microsoft.public.inetserver.iis.security)
  • Use of ACLs possible with Forms authentication against AD?
    ... My current scenario is users logging in to our website and being directed to ... I'd like to have a nicer login UI using Forms authentication against the AD, ... but would still like to use ACLs to control resource access. ... still take advantage of ACLs for resource authorization? ...
    (microsoft.public.dotnet.framework.aspnet)