Re: Permission Problems SBS2003 R1
- From: v-mzhuan@xxxxxxxxxxxxxxxxxxxx (Manfred Zhuang [MSFT])
- Date: Tue, 04 Sep 2007 09:35:01 GMT
Hello John,
Thank you for posting here.
From your post, I understand that the default website on the SBS servercannot be accessed from external clients. Error 401.3 was received. In
addition, OWA does not work and the phone cannot sync with the default
website.
We cannot guarantee these three problems are associated. Thus we may need
to troubleshoot them one by one in order to avoid confusion. First, let's
focus on the first issue.
I noticed you mentioned that you modified the websites' permissions when
using Expression Web. Please let me know that do you mean the default
website on the SBS server?
You said when visiting hpg4.jiangelo.net, it prompted for user name and
password. If you type the correct user name and password, what is the
result?
Since you have confirmed that anonymous access is enabled for default web
site, the issue can be caused by that the password for IUSR is not
synchronized.
Let's try following steps to see if it helps:
Step 1: Resetting the passwords for the IUSR and the IWAM accounts
==========================================
1. Click "Start", point to "Administrative Tools", and then click "Active
Directory Users and Computers".
2. Under the full domain name click "Users".
3. Right-click "IUSR_ComputerName", and then click "Reset Password".
4. Type the password in the "New password" box and in the "Confirm
password" box, and then click "OK".
5. Right-click "IWAM_ComputerName", and then click "Reset Password".
6. Type the password in the "New password" box and in the "Confirm
password" box, and then click "OK".
7. Quit Active Directory Users and Computers console.
8. Click "Start", and then click "Run".
9. In the "Open" box, type "cmd" (without the quotation marks) and then
click "OK".
10. Type the following command and press ENTER:
cd \inetpub\adminscripts
11. To reset the password for the IUSR_ComputerName account, type the
following command (where <password> is the password that you set in step
4), and then press ENTER:
cscript.exe adsutil.vbs set w3svc/anonymoususerpass <password>
12. To reset the password for the IWAM_<omputerName account, type the
following command (where <password> is the password that you set in step
6), and then press ENTER:
cscript.exe adsutil.vbs set w3svc/wamuserpass <password>
13. After this, type iisreset and press ENTER. Then check if the web sites
work fine.
More information for your reference:
PRB: Configured Identity Is Incorrect for IWAM Account
http://support.microsoft.com/?id=297989
Step 2: Refer to following article to check the permission settings:
========================================
Default permissions and user rights for IIS 6.0
http://support.microsoft.com/kb/812614
NOTE: If some accounts are not listed in the article but are in the
permission lists, please leave them alone.
In addition, please ensure following accounts are granted appropriate
permissions for Inetpub\wwwroot folder:
INTERACTIVE: List Folder Contents, Read(Apply to files only)
NETWORK: List Folder Contents, Read(Apply to files only)
NETWORK SERVICE: List Folder Contents, Read(Apply to files only)
Users: Read & Execute, List Folder Contents, Read
Step 3: Please check the permissions in IIS manager:
=================================
Right click default web site in IIS manager and click permissions.
Please ensure the permission settings are the same as those of wwwroot.
Step 4: Re-running CEICW on SBS server:
===========================
1. On the SBS 2003 Server open the Server Management console. Go to
Standard Management\To Do List.
2. Click the "Connect to the Internet" link.
3. Choose not to change the connection type and click Next. On the Firewall
page, select "Enable firewall" and click Next (I suppose you have 2 network
adapters in SBS 2003 and if you only have 1 network adapter you will not
see the page and you can go to step 6).
4. On the "Services Configuration" page, select all the items and then
click Next.
5. On the "Web Services Configuration" page, make sure "Allow access to the
entire Web site from the Internet" is selected. If you select "Allow access
to only the following Web site services from the Internet", make sure both
the "Outlook Web Access" and "Remote Web Workplace" items are selected.
Click Next.
6. On the "Web Server Certificate" page, choose to create a new Web server
certificate and then type the public FQDN that you will use to access OWA
(for example, if your public FQDN that you use to access the sites is
mail.domain.com, you should type mail.domain.com as the new certificate
name). If you already requested a certificate with the name
"mail.domain.com" from a third party CA, you can choose "Use a Web server
certificate from a trusted authority" and then import the certificate.
7. Go through the remaining steps. The wizard will automatically configure
the SBS 2003 Basic Firewall to securely publish the two sites.
8. If you have a router or hardware firewall, configure it to forward
inbound traffic on TCP port 80, 443 and 4125 to the SBS server's external
address.
9. Then check if you can access OWA and RWW using
https://mail.domain.com/exchange and https://mail.domain.com/remote.
Step 5: Check group policy setting
====================
1. Start "gpedit.msc"
2. Expand Default Domain policy -> Computer Configuration -> Windows
Settings -> Security Settings -> Local Policies -> User Rights Assignment
3. Give the NETWORK SERVICE account the "Impersonate a client after
Authentication" right.
I hope the above information is helpful to you. However, if the issue
persists, please help me gather following information:
1. Please help me gather IIS log and Metabase to me for further analysis,
send to me: v-mzhuan@xxxxxxxxxxxxx with the subject in the newsgroup:
1). Install MBExplorer by installing IIS 6 Resource Kit Tools:
http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71A-4C73-
B628-ADE629C89499&displaylang=en
2). Once it is installed, access it from Start, Programs, IIS Resources,
Metabase Explorer.
3). In the left pane, right click ''LM'' (under your server computer name)
to choose ''Export to file'', and then save it as IIS.mbk.
4). Compress this mbk file and send it to me for analysis. Please let me
know the password if you set on this iis mbk file.
Please collect the IIS log on SBS Server so that I can perform further
research:
1). On the Serves, open IIS MMC, right click Default Web Site and then
click Properties.
2). Click Website tab and then check Enable logging.
3). Stop the Default Website and RENAME the existing IIS log files under
C:\WINDOWS\system32\LogFiles\W3SVC1.
4). Restart the Default Website and reproduce the problem, which will
generate new IIS log file with the exact error.
5). Wait for a while so that IIS Log can be synced. And then go to the
following folder on Exchange Server: C:\WINDOWS\system32\LogFiles\W3SVC1.
6). Send me the log files to my working email address
v-mzhuan@xxxxxxxxxxxxxx And please let me know the alias of the user who
encountered the issue.
2. Please download the MPS Report tool from the following link and run it
on both the client workstation and the SBS server, then send the generated
CAB file to my mailbox v-mzhuan@xxxxxxxxxxxxx for further investigation so
that we can find what the root cause is:
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE
For your information:
http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-
88B7-F9C79B7306C0&displaylang=en
Please try the above steps at your earliest convenience. If you have any
concern, please feel free to let me know.
Best regards,
Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: JiAngelo <JiAngelo.2w7rrd@xxxxxxxxxxxxx>
| Subject: Re: Permission Problems SBS2003 R1
| Date: Sat, 1 Sep 2007 09:34:21 +0530
| Message-ID: <JiAngelo.2w7rrd@xxxxxxxxxxxxx>
| Organization: Computer Help - http://forums.techarena.in
| User-Agent: vBulletin USENET gateway
| X-Newsreader: vBulletin USENET gateway
| X-Originating-IP: 65.186.219.168
| References: <JiAngelo.2w6x7g@xxxxxxxxxxxxx>
<u2B$BNA7HHA.5752@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: hostname.techarena.in 207.58.143.175
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:60159
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
|
Sorry,
|
| There is only 1 SBS server (HPG4) hosting both public websites.
|
| The primary error is the HTTP Error 401.3 that appears when accessing
hpg4.jiangelo.net (at the Username/Password box simply hit escape to
view) ---This box isn't supposed to popup at this public address. The
error should go away once the Server quits trying to authenticate every
public website users (it is like anonymous access is no longer working,
but everything is checked.) There are no other event log errors that
seem relevant.
|
| My computer is attached to an SBS server/domain and Outlook works fine.
Outlook uses both Exchange Email and 4-5 pop accounts --all are working
fine. (I can send/receive from each account with no problem.) But OWA
is no longer working and my cell phone is no longer syncing --my office
emails, phone msg and faxes are normally forwarded to the phone so I
can see/hear them via the browser --versus using my cell to call in to
the office.
|
| Server is attached to router - to DSL Modem/Firewall - to Internet.
Everything here's working fine (or I wouldn't be able to post.)
|
| I've posted the ipconfig files from myserver & mycomputer, but they are
the same as they've been for the last few years. You may notice the
subnet mask is 255.255.0.0 on mycomputer, and 255.255.255.0 on
mycomputer, but that has been that way with no problems for 2 years.
(Our pool of addresses is 172.16.1.1 - 172.16.2.255 ), but with SBS2003
there is no longer anything below 172.16.2.1 except some old network
printers we still use occasionally.
|
| As for what changed....Me, buggering around in the system trying to get
used to using Expression Web versus Frontpage and I was playing with the
webs permissions. I've been studying my SBS2003 bible and think it
boils down to simply some conflicting permissions and group/user policy
settings, but I'm having trouble wrapping my head around it.
|
| I'm about ready to load SBS2003 on a spare computer simply to review
and compare the original permission sets with what I have now. I'm
confident that if I solve the public website ACL problem, everything
else will be back to normal.
|
| Again, I apologize the lack of information, but I wasn't sure what
anyone would consider relevant and was afraid of going off on a
tangent.
|
| Thanks,
|
| John.
+-------------------------------------------------------------------+
|Filename: myserveripset.txt |
|Download: http://forums.techarena.in/attachment.php?attachmentid=6378|
+-------------------------------------------------------------------+
--
JiAngelo
------------------------------------------------------------------------
JiAngelo's Profile: http://forums.techarena.in/member.php?userid=30319
View this thread: http://forums.techarena.in/showthread.php?t=811255
http://forums.techarena.in
|
.
- Follow-Ups:
- Re: Permission Problems SBS2003 R1
- From: JiAngelo
- Re: Permission Problems SBS2003 R1
- References:
- Re: Permission Problems SBS2003 R1
- From: JiAngelo
- Re: Permission Problems SBS2003 R1
- Prev by Date: RE: Removed computer still reported in Update Services (SBS2003 R2)
- Next by Date: Re: mydocuments missing after logff logon sbs2003 win xp
- Previous by thread: Re: Permission Problems SBS2003 R1
- Next by thread: Re: Permission Problems SBS2003 R1
- Index(es):
Relevant Pages
|
