| Groups | Blog | Home |
iis security : Permanently turn off Integrated Windows Authentication?
Is there a way to permanently turn off Integrated Windows Authentication on
Windows 2000 SP4 IIS 5.0? We know that you can uncheck the box for it on the Properties for that specific virtual directory under Authentication Methods, but every time the server is rebooted or if the IIS Admin Service is restarted it automatically checks that box back on. We have Exchange 2000 Post-SP3 running on this box (not a DC) and we don't want the Domain field box showing up for clients logging into OWA. We only want Basic Authentication over forced SSL (which we have configured and working fine). We've noticed that down-level clients for some home users can't login IF Integrated Windows Authentication is checked on. Is there a registry setting to disable this or a script that will disable it that we could run at machine start up? Thanks for any ideas or suggestions.
There is no such setting, and it is totally unnecessary.
If you uncheck the property in IIS UI, it should work, period. IIS doesn't turn any settings automatically back on -- it must be due to your setting never being set to begin with. I recommend you uncheck the property, and then go to the commandline to run: NET STOP IISADMIN /y If it succeeds without errors, it is guaranteed that your property stays unchecked from now on (unless you have some other backup process you're not telling me about that is replacing the old configuration). Anything else, it is likely pointing to the reason why the setting keeps coming back... because IIS is failing to permanently save the setting, so you'll keep getting the old setting on reboot/restart. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message Is there a way to permanently turn off Integrated Windows Authentication onnews:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... Windows 2000 SP4 IIS 5.0? We know that you can uncheck the box for it on the Properties for that specific virtual directory under Authentication Methods, but every time the server is rebooted or if the IIS Admin Service is restarted it automatically checks that box back on. We have Exchange 2000 Post-SP3 running on this box (not a DC) and we don't want the Domain field box showing up for clients logging into OWA. We only want Basic Authentication over forced SSL (which we have configured and working fine). We've noticed that down-level clients for some home users can't login IF Integrated Windows Authentication is checked on. Is there a registry setting to disable this or a script that will disable it that we could run at machine start up? Thanks for any ideas or suggestions.
This has been happening to me ever since 2001. I believe it's a known bug,
possibly where the IIS Metabase isn't properly being saved on exit. What I was able to do is make that change AND ONLY that one change in one place, and then right-click to stop and restart the web server instance [and/or stop and restart the WWW service in Windows]. Then immediately go back into IIS and confirm that the setting is still there. If it is, you should be OK. [quoted text, click to view] "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > Is there a way to permanently turn off Integrated Windows Authentication on > Windows 2000 SP4 IIS 5.0? > > > > We know that you can uncheck the box for it on the Properties for that > specific virtual directory under Authentication Methods, but every time the > server is rebooted or if the IIS Admin Service is restarted it automatically > checks that box back on. > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we don't > want the Domain field box showing up for clients logging into OWA. We only > want Basic Authentication over forced SSL (which we have configured and > working fine). We've noticed that down-level clients for some home users > can't login IF Integrated Windows Authentication is checked on. > > > > Is there a registry setting to disable this or a script that will disable it > that we could run at machine start up? Thanks for any ideas or suggestions. > > > >
Yes, I believe this is a bug as well, I have seen several posts in this
newsgroup over the last several months with others having the same issue. Could the MS guy elaborate of what might be wrong or where to look for the source of the problem, what to fix? Our issue has been very inconsistent, we stop all web services during our offline Exchange backup every night. And even though we have unchecked the box for "Integreated Windows Authentication" it will sometimes stay unchecked when the web services are restarted but most of the time the box is rechecked automatically. Thanks Karl, I try what you have suggested. [quoted text, click to view] "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > This has been happening to me ever since 2001. I believe it's a known bug, > possibly where the IIS Metabase isn't properly being saved on exit. What I > was able to do is make that change AND ONLY that one change in one place, > and then right-click to stop and restart the web server instance [and/or > stop and restart the WWW service in Windows]. Then immediately go back into > IIS and confirm that the setting is still there. If it is, you should be > OK. > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > Is there a way to permanently turn off Integrated Windows Authentication > on > > Windows 2000 SP4 IIS 5.0? > > > > > > > > We know that you can uncheck the box for it on the Properties for that > > specific virtual directory under Authentication Methods, but every time > the > > server is rebooted or if the IIS Admin Service is restarted it > automatically > > checks that box back on. > > > > > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we don't > > want the Domain field box showing up for clients logging into OWA. We > only > > want Basic Authentication over forced SSL (which we have configured and > > working fine). We've noticed that down-level clients for some home users > > can't login IF Integrated Windows Authentication is checked on. > > > > > > > > Is there a registry setting to disable this or a script that will disable > it > > that we could run at machine start up? Thanks for any ideas or > suggestions. > > > > > > > > > >
Ok, I've described basically the same solution as Karl. Only difference is
that I *know* that stopping IISADMIN will trigger the metabase flush. I'll describe what's going on. The basic problem is this: 1. When you make a configuration change to IIS via the UI, it is kept in memory (since IIS will frequently take the change live) and NOT immediately written to disk. 2. Later, IIS attempts to write the change to disk using an algorithm to determine "idleness". 3. I've seen instances where "idleness" doesn't happen, so the changes are not written to disk after a given time period. This isn't exactly bad since IIS will eventually write the change to disk when you stop the IISADMIN service... but it's bad news if #4 happens... 4. Something manages to kill the IISADMIN service before IIS writes the change. This can be an inproc ISAPI crashing, or using IISRESET and IIS takes >30 seconds to restart (probably likely with Exchange as a dependency). When this happens, the unwritten changes are lost, and upon restart, you get the old settings. What you're describing is that somehow, #4 is happening prior to your change being flushed to disk. Thus, you're losing your change. The way you work around this is to basically make the change and IMMEDIATELY cause a metabase flush to disk to happen. Stopping the IISADMIN service is one way, but NOT using IISRESET. The sure way to do this is to type: NET STOP /y IISADMIN on the commandline With IIS6, what we changed was: 1. Give you a menu option to immediately save all configuration to disk. 2. When you exit the UI, automatically initiate a flush to disk. We will probably never change this behavior on prior IIS versions since the change can be dangerous and cause other potential unknown problems. It's better to have a known problem and workaround than an unknown problem with an unknown workaround. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message Yes, I believe this is a bug as well, I have seen several posts in thisnews:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... newsgroup over the last several months with others having the same issue. Could the MS guy elaborate of what might be wrong or where to look for the source of the problem, what to fix? Our issue has been very inconsistent, we stop all web services during our offline Exchange backup every night. And even though we have unchecked the box for "Integreated Windows Authentication" it will sometimes stay unchecked when the web services are restarted but most of the time the box is rechecked automatically. Thanks Karl, I try what you have suggested. [quoted text, click to view] "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > This has been happening to me ever since 2001. I believe it's a known bug, > possibly where the IIS Metabase isn't properly being saved on exit. What I > was able to do is make that change AND ONLY that one change in one place, > and then right-click to stop and restart the web server instance [and/or > stop and restart the WWW service in Windows]. Then immediately go back into > IIS and confirm that the setting is still there. If it is, you should be > OK. > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > Is there a way to permanently turn off Integrated Windows Authentication > on > > Windows 2000 SP4 IIS 5.0? > > > > > > > > We know that you can uncheck the box for it on the Properties for that > > specific virtual directory under Authentication Methods, but every time > the > > server is rebooted or if the IIS Admin Service is restarted it > automatically > > checks that box back on. > > > > > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we don't > > want the Domain field box showing up for clients logging into OWA. We > only > > want Basic Authentication over forced SSL (which we have configured and > > working fine). We've noticed that down-level clients for some home users > > can't login IF Integrated Windows Authentication is checked on. > > > > > > > > Is there a registry setting to disable this or a script that will disable > it > > that we could run at machine start up? Thanks for any ideas or > suggestions. > > > > > > > > > >
Okay, we've tried what you suggested, making the change to the virtual
directory and unchecking the "Integrated Windows Authentication" box, and then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it successfully stops the service and all other dependant Exchange services. We start all of the services back up and the box remains unchecked. It remained uncheck for the next 2 days, but then on the 3rd day it was checked again automatically. Just a reminder, this is a Member Server running Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange and IIS services every night for offline backups. We are attempting to change this on a Virtual Directory, not the top level of the website. Is there something we are missing? Thank you for your help. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > Ok, I've described basically the same solution as Karl. Only difference is > that I *know* that stopping IISADMIN will trigger the metabase flush. > > I'll describe what's going on. > > The basic problem is this: > 1. When you make a configuration change to IIS via the UI, it is kept in > memory (since IIS will frequently take the change live) and NOT immediately > written to disk. > 2. Later, IIS attempts to write the change to disk using an algorithm to > determine "idleness". > 3. I've seen instances where "idleness" doesn't happen, so the changes are > not written to disk after a given time period. This isn't exactly bad since > IIS will eventually write the change to disk when you stop the IISADMIN > service... but it's bad news if #4 happens... > 4. Something manages to kill the IISADMIN service before IIS writes the > change. This can be an inproc ISAPI crashing, or using IISRESET and IIS > takes >30 seconds to restart (probably likely with Exchange as a > dependency). When this happens, the unwritten changes are lost, and upon > restart, you get the old settings. > > What you're describing is that somehow, #4 is happening prior to your change > being flushed to disk. Thus, you're losing your change. The way you work > around this is to basically make the change and IMMEDIATELY cause a metabase > flush to disk to happen. Stopping the IISADMIN service is one way, but NOT > using IISRESET. The sure way to do this is to type: > NET STOP /y IISADMIN on the commandline > > With IIS6, what we changed was: > 1. Give you a menu option to immediately save all configuration to disk. > 2. When you exit the UI, automatically initiate a flush to disk. > > We will probably never change this behavior on prior IIS versions since the > change can be dangerous and cause other potential unknown problems. It's > better to have a known problem and workaround than an unknown problem with > an unknown workaround. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > Yes, I believe this is a bug as well, I have seen several posts in this > newsgroup over the last several months with others having the same issue. > Could the MS guy elaborate of what might be wrong or where to look for the > source of the problem, what to fix? > > Our issue has been very inconsistent, we stop all web services during our > offline Exchange backup every night. And even though we have unchecked the > box for "Integreated Windows Authentication" it will sometimes stay > unchecked when the web services are restarted but most of the time the box > is rechecked automatically. > > Thanks Karl, I try what you have suggested. > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > > This has been happening to me ever since 2001. I believe it's a known > bug, > > possibly where the IIS Metabase isn't properly being saved on exit. What > I > > was able to do is make that change AND ONLY that one change in one place, > > and then right-click to stop and restart the web server instance [and/or > > stop and restart the WWW service in Windows]. Then immediately go back > into > > IIS and confirm that the setting is still there. If it is, you should be > > OK. > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > > Is there a way to permanently turn off Integrated Windows Authentication > > on > > > Windows 2000 SP4 IIS 5.0? > > > > > > > > > > > > We know that you can uncheck the box for it on the Properties for that > > > specific virtual directory under Authentication Methods, but every time > > the > > > server is rebooted or if the IIS Admin Service is restarted it > > automatically > > > checks that box back on. > > > > > > > > > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we > don't > > > want the Domain field box showing up for clients logging into OWA. We > > only > > > want Basic Authentication over forced SSL (which we have configured and > > > working fine). We've noticed that down-level clients for some home > users > > > can't login IF Integrated Windows Authentication is checked on. > > > > > > > > > > > > Is there a registry setting to disable this or a script that will > disable > > it > > > that we could run at machine start up? Thanks for any ideas or > > suggestions. > > > > > > > > > > > > > > > > > > >
Well this is actually an IIS setting - and if you do anything related to IIS
from the Exchange System Manager it tells you to use the IIS MMC Console. Unless there is somewhere else we can make this change...? [quoted text, click to view] "Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:e8HpkobzDHA.604@tk2msftngp13.phx.gbl... > You might want to change Exchange related setting via System Manager. > as when it start it might overwrite the setting configure in IIS MMC. > > -- > Regards, > Bernard Cheah > http://support.microsoft.com/ > Please respond to newsgroups only ... > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> ???? > news:#4V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl... > > Okay, we've tried what you suggested, making the change to the virtual > > directory and unchecking the "Integrated Windows Authentication" box, and > > then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it > > successfully stops the service and all other dependant Exchange services. > > We start all of the services back up and the box remains unchecked. It > > remained uncheck for the next 2 days, but then on the 3rd day it was > checked > > again automatically. Just a reminder, this is a Member Server running > > Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange > and > > IIS services every night for offline backups. We are attempting to change > > this on a Virtual Directory, not the top level of the website. Is there > > something we are missing? Thank you for your help. > > > > > > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > > news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > > > Ok, I've described basically the same solution as Karl. Only difference > > is > > > that I *know* that stopping IISADMIN will trigger the metabase flush. > > > > > > I'll describe what's going on. > > > > > > The basic problem is this: > > > 1. When you make a configuration change to IIS via the UI, it is kept in > > > memory (since IIS will frequently take the change live) and NOT > > immediately > > > written to disk. > > > 2. Later, IIS attempts to write the change to disk using an algorithm to > > > determine "idleness". > > > 3. I've seen instances where "idleness" doesn't happen, so the changes > are > > > not written to disk after a given time period. This isn't exactly bad > > since > > > IIS will eventually write the change to disk when you stop the IISADMIN > > > service... but it's bad news if #4 happens... > > > 4. Something manages to kill the IISADMIN service before IIS writes the > > > change. This can be an inproc ISAPI crashing, or using IISRESET and IIS > > > takes >30 seconds to restart (probably likely with Exchange as a > > > dependency). When this happens, the unwritten changes are lost, and > upon > > > restart, you get the old settings. > > > > > > What you're describing is that somehow, #4 is happening prior to your > > change > > > being flushed to disk. Thus, you're losing your change. The way you > work > > > around this is to basically make the change and IMMEDIATELY cause a > > metabase > > > flush to disk to happen. Stopping the IISADMIN service is one way, but > > NOT > > > using IISRESET. The sure way to do this is to type: > > > NET STOP /y IISADMIN on the commandline > > > > > > With IIS6, what we changed was: > > > 1. Give you a menu option to immediately save all configuration to disk. > > > 2. When you exit the UI, automatically initiate a flush to disk. > > > > > > We will probably never change this behavior on prior IIS versions since > > the > > > change can be dangerous and cause other potential unknown problems. > It's > > > better to have a known problem and workaround than an unknown problem > with > > > an unknown workaround. > > > > > > -- > > > //David > > > IIS > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > // > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > message > > > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > > > Yes, I believe this is a bug as well, I have seen several posts in this > > > newsgroup over the last several months with others having the same > issue. > > > Could the MS guy elaborate of what might be wrong or where to look for > the > > > source of the problem, what to fix? > > > > > > Our issue has been very inconsistent, we stop all web services during > our > > > offline Exchange backup every night. And even though we have unchecked > > the > > > box for "Integreated Windows Authentication" it will sometimes stay > > > unchecked when the web services are restarted but most of the time the > box > > > is rechecked automatically. > > > > > > Thanks Karl, I try what you have suggested. > > > > > > > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > > > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > > > > This has been happening to me ever since 2001. I believe it's a known > > > bug, > > > > possibly where the IIS Metabase isn't properly being saved on exit. > > What > > > I > > > > was able to do is make that change AND ONLY that one change in one > > place, > > > > and then right-click to stop and restart the web server instance > [and/or > > > > stop and restart the WWW service in Windows]. Then immediately go > back > > > into > > > > IIS and confirm that the setting is still there. If it is, you should > > be > > > > OK. > > > > > > > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > > message > > > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > > > > Is there a way to permanently turn off Integrated Windows > > Authentication > > > > on > > > > > Windows 2000 SP4 IIS 5.0? > > > > > > > > > > > > > > > > > > > > We know that you can uncheck the box for it on the Properties for > that > > > > > specific virtual directory under Authentication Methods, but every > > time > > > > the > > > > > server is rebooted or if the IIS Admin Service is restarted it > > > > automatically > > > > > checks that box back on. > > > > > > > > > > > > > > > > > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we > > > don't > > > > > want the Domain field box showing up for clients logging into OWA. > We > > > > only > > > > > want Basic Authentication over forced SSL (which we have configured > > and > > > > > working fine). We've noticed that down-level clients for some home > > > users > > > > > can't login IF Integrated Windows Authentication is checked on. > > > > > > > > > > > > > > > > > > > > Is there a registry setting to disable this or a script that will > > > disable > > > > it > > > > > that we could run at machine start up? Thanks for any ideas or > > > > suggestions. > > > > > > > > > > > > > > > > > > > >
You might want to change Exchange related setting via System Manager.
as when it start it might overwrite the setting configure in IIS MMC. -- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> ???? news:#4V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl... [quoted text, click to view] > Okay, we've tried what you suggested, making the change to the virtual > directory and unchecking the "Integrated Windows Authentication" box, and > then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it > successfully stops the service and all other dependant Exchange services. > We start all of the services back up and the box remains unchecked. It > remained uncheck for the next 2 days, but then on the 3rd day it was checked > again automatically. Just a reminder, this is a Member Server running > Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange and > IIS services every night for offline backups. We are attempting to change > this on a Virtual Directory, not the top level of the website. Is there > something we are missing? Thank you for your help. > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > > Ok, I've described basically the same solution as Karl. Only difference > is > > that I *know* that stopping IISADMIN will trigger the metabase flush. > > > > I'll describe what's going on. > > > > The basic problem is this: > > 1. When you make a configuration change to IIS via the UI, it is kept in > > memory (since IIS will frequently take the change live) and NOT > immediately > > written to disk. > > 2. Later, IIS attempts to write the change to disk using an algorithm to > > determine "idleness". > > 3. I've seen instances where "idleness" doesn't happen, so the changes are > > not written to disk after a given time period. This isn't exactly bad > since > > IIS will eventually write the change to disk when you stop the IISADMIN > > service... but it's bad news if #4 happens... > > 4. Something manages to kill the IISADMIN service before IIS writes the > > change. This can be an inproc ISAPI crashing, or using IISRESET and IIS > > takes >30 seconds to restart (probably likely with Exchange as a > > dependency). When this happens, the unwritten changes are lost, and upon > > restart, you get the old settings. > > > > What you're describing is that somehow, #4 is happening prior to your > change > > being flushed to disk. Thus, you're losing your change. The way you work > > around this is to basically make the change and IMMEDIATELY cause a > metabase > > flush to disk to happen. Stopping the IISADMIN service is one way, but > NOT > > using IISRESET. The sure way to do this is to type: > > NET STOP /y IISADMIN on the commandline > > > > With IIS6, what we changed was: > > 1. Give you a menu option to immediately save all configuration to disk. > > 2. When you exit the UI, automatically initiate a flush to disk. > > > > We will probably never change this behavior on prior IIS versions since > the > > change can be dangerous and cause other potential unknown problems. It's > > better to have a known problem and workaround than an unknown problem with > > an unknown workaround. > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > > Yes, I believe this is a bug as well, I have seen several posts in this > > newsgroup over the last several months with others having the same issue. > > Could the MS guy elaborate of what might be wrong or where to look for the > > source of the problem, what to fix? > > > > Our issue has been very inconsistent, we stop all web services during our > > offline Exchange backup every night. And even though we have unchecked > the > > box for "Integreated Windows Authentication" it will sometimes stay > > unchecked when the web services are restarted but most of the time the box > > is rechecked automatically. > > > > Thanks Karl, I try what you have suggested. > > > > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > > > This has been happening to me ever since 2001. I believe it's a known > > bug, > > > possibly where the IIS Metabase isn't properly being saved on exit. > What > > I > > > was able to do is make that change AND ONLY that one change in one > place, > > > and then right-click to stop and restart the web server instance [and/or > > > stop and restart the WWW service in Windows]. Then immediately go back > > into > > > IIS and confirm that the setting is still there. If it is, you should > be > > > OK. > > > > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > message > > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > > > Is there a way to permanently turn off Integrated Windows > Authentication > > > on > > > > Windows 2000 SP4 IIS 5.0? > > > > > > > > > > > > > > > > We know that you can uncheck the box for it on the Properties for that > > > > specific virtual directory under Authentication Methods, but every > time > > > the > > > > server is rebooted or if the IIS Admin Service is restarted it > > > automatically > > > > checks that box back on. > > > > > > > > > > > > > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we > > don't > > > > want the Domain field box showing up for clients logging into OWA. We > > > only > > > > want Basic Authentication over forced SSL (which we have configured > and > > > > working fine). We've noticed that down-level clients for some home > > users > > > > can't login IF Integrated Windows Authentication is checked on. > > > > > > > > > > > > > > > > Is there a registry setting to disable this or a script that will > > disable > > > it > > > > that we could run at machine start up? Thanks for any ideas or > > > suggestions. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
If that's the case, then your problem is not the setting being lost. It
sounds like something elsewhere is intentionally turning it back on (probably Exchange), so you want to configure Exchange (or however it wants you to configure it) to not use Integrated Windows Authentication. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message Okay, we've tried what you suggested, making the change to the virtualnews:%234V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl... directory and unchecking the "Integrated Windows Authentication" box, and then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it successfully stops the service and all other dependant Exchange services. We start all of the services back up and the box remains unchecked. It remained uncheck for the next 2 days, but then on the 3rd day it was checked again automatically. Just a reminder, this is a Member Server running Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange and IIS services every night for offline backups. We are attempting to change this on a Virtual Directory, not the top level of the website. Is there something we are missing? Thank you for your help. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > Ok, I've described basically the same solution as Karl. Only difference is > that I *know* that stopping IISADMIN will trigger the metabase flush. > > I'll describe what's going on. > > The basic problem is this: > 1. When you make a configuration change to IIS via the UI, it is kept in > memory (since IIS will frequently take the change live) and NOT immediately > written to disk. > 2. Later, IIS attempts to write the change to disk using an algorithm to > determine "idleness". > 3. I've seen instances where "idleness" doesn't happen, so the changes are > not written to disk after a given time period. This isn't exactly bad since > IIS will eventually write the change to disk when you stop the IISADMIN > service... but it's bad news if #4 happens... > 4. Something manages to kill the IISADMIN service before IIS writes the > change. This can be an inproc ISAPI crashing, or using IISRESET and IIS > takes >30 seconds to restart (probably likely with Exchange as a > dependency). When this happens, the unwritten changes are lost, and upon > restart, you get the old settings. > > What you're describing is that somehow, #4 is happening prior to your change > being flushed to disk. Thus, you're losing your change. The way you work > around this is to basically make the change and IMMEDIATELY cause a metabase > flush to disk to happen. Stopping the IISADMIN service is one way, but NOT > using IISRESET. The sure way to do this is to type: > NET STOP /y IISADMIN on the commandline > > With IIS6, what we changed was: > 1. Give you a menu option to immediately save all configuration to disk. > 2. When you exit the UI, automatically initiate a flush to disk. > > We will probably never change this behavior on prior IIS versions since the > change can be dangerous and cause other potential unknown problems. It's > better to have a known problem and workaround than an unknown problem with > an unknown workaround. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > Yes, I believe this is a bug as well, I have seen several posts in this > newsgroup over the last several months with others having the same issue. > Could the MS guy elaborate of what might be wrong or where to look for the > source of the problem, what to fix? > > Our issue has been very inconsistent, we stop all web services during our > offline Exchange backup every night. And even though we have unchecked the > box for "Integreated Windows Authentication" it will sometimes stay > unchecked when the web services are restarted but most of the time the box > is rechecked automatically. > > Thanks Karl, I try what you have suggested. > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > > This has been happening to me ever since 2001. I believe it's a known > bug, > > possibly where the IIS Metabase isn't properly being saved on exit. What > I > > was able to do is make that change AND ONLY that one change in one place, > > and then right-click to stop and restart the web server instance [and/or > > stop and restart the WWW service in Windows]. Then immediately go back > into > > IIS and confirm that the setting is still there. If it is, you should be > > OK. > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > > Is there a way to permanently turn off Integrated Windows Authentication > > on > > > Windows 2000 SP4 IIS 5.0? > > > > > > > > > > > > We know that you can uncheck the box for it on the Properties for that > > > specific virtual directory under Authentication Methods, but every time > > the > > > server is rebooted or if the IIS Admin Service is restarted it > > automatically > > > checks that box back on. > > > > > > > > > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we > don't > > > want the Domain field box showing up for clients logging into OWA. We > > only > > > want Basic Authentication over forced SSL (which we have configured and > > > working fine). We've noticed that down-level clients for some home > users > > > can't login IF Integrated Windows Authentication is checked on. > > > > > > > > > > > > Is there a registry setting to disable this or a script that will > disable > > it > > > that we could run at machine start up? Thanks for any ideas or > > suggestions. > > > > > > > > > > > > > > > > > > >
We haven't been able to determine if and where Exchange might be setting
Integrated Windows Authentication on other than in IIS. Does anyone know IF Exchange is doing this, and if so, how to prevent it? Thanks! [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:ORA1MwpzDHA.560@TK2MSFTNGP11.phx.gbl... > If that's the case, then your problem is not the setting being lost. It > sounds like something elsewhere is intentionally turning it back on > (probably Exchange), so you want to configure Exchange (or however it wants > you to configure it) to not use Integrated Windows Authentication. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > news:%234V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl... > Okay, we've tried what you suggested, making the change to the virtual > directory and unchecking the "Integrated Windows Authentication" box, and > then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it > successfully stops the service and all other dependant Exchange services. > We start all of the services back up and the box remains unchecked. It > remained uncheck for the next 2 days, but then on the 3rd day it was checked > again automatically. Just a reminder, this is a Member Server running > Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange and > IIS services every night for offline backups. We are attempting to change > this on a Virtual Directory, not the top level of the website. Is there > something we are missing? Thank you for your help. > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > > Ok, I've described basically the same solution as Karl. Only difference > is > > that I *know* that stopping IISADMIN will trigger the metabase flush. > > > > I'll describe what's going on. > > > > The basic problem is this: > > 1. When you make a configuration change to IIS via the UI, it is kept in > > memory (since IIS will frequently take the change live) and NOT > immediately > > written to disk. > > 2. Later, IIS attempts to write the change to disk using an algorithm to > > determine "idleness". > > 3. I've seen instances where "idleness" doesn't happen, so the changes are > > not written to disk after a given time period. This isn't exactly bad > since > > IIS will eventually write the change to disk when you stop the IISADMIN > > service... but it's bad news if #4 happens... > > 4. Something manages to kill the IISADMIN service before IIS writes the > > change. This can be an inproc ISAPI crashing, or using IISRESET and IIS > > takes >30 seconds to restart (probably likely with Exchange as a > > dependency). When this happens, the unwritten changes are lost, and upon > > restart, you get the old settings. > > > > What you're describing is that somehow, #4 is happening prior to your > change > > being flushed to disk. Thus, you're losing your change. The way you work > > around this is to basically make the change and IMMEDIATELY cause a > metabase > > flush to disk to happen. Stopping the IISADMIN service is one way, but > NOT > > using IISRESET. The sure way to do this is to type: > > NET STOP /y IISADMIN on the commandline > > > > With IIS6, what we changed was: > > 1. Give you a menu option to immediately save all configuration to disk. > > 2. When you exit the UI, automatically initiate a flush to disk. > > > > We will probably never change this behavior on prior IIS versions since > the > > change can be dangerous and cause other potential unknown problems. It's > > better to have a known problem and workaround than an unknown problem with > > an unknown workaround. > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > > Yes, I believe this is a bug as well, I have seen several posts in this > > newsgroup over the last several months with others having the same issue. > > Could the MS guy elaborate of what might be wrong or where to look for the > > source of the problem, what to fix? > > > > Our issue has been very inconsistent, we stop all web services during our > > offline Exchange backup every night. And even though we have unchecked > the > > box for "Integreated Windows Authentication" it will sometimes stay > > unchecked when the web services are restarted but most of the time the box > > is rechecked automatically. > > > > Thanks Karl, I try what you have suggested. > > > > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > > > This has been happening to me ever since 2001. I believe it's a known > > bug, > > > possibly where the IIS Metabase isn't properly being saved on exit. > What > > I > > > was able to do is make that change AND ONLY that one change in one > place, > > > and then right-click to stop and restart the web server instance [and/or > > > stop and restart the WWW service in Windows]. Then immediately go back > > into > > > IIS and confirm that the setting is still there. If it is, you should > be > > > OK. > > > > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > message > > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > > > Is there a way to permanently turn off Integrated Windows > Authentication > > > on > > > > Windows 2000 SP4 IIS 5.0? > > > > > > > > > > > > > > > > We know that you can uncheck the box for it on the Properties for that > > > > specific virtual directory under Authentication Methods, but every > time > > > the > > > > server is rebooted or if the IIS Admin Service is restarted it > > > automatically > > > > checks that box back on. > > > > > > > > > > > > > > > > We have Exchange 2000 Post-SP3 running on this box (not a DC) and we > > don't > > > > want the Domain field box showing up for clients logging into OWA. We > > > only > > > > want Basic Authentication over forced SSL (which we have configured > and > > > > working fine). We've noticed that down-level clients for some home > > users > > > > can't login IF Integrated Windows Authentication is checked on. > > > > > > > > > > > > > > > > Is there a registry setting to disable this or a script that will > > disable > > > it > > > > that we could run at machine start up? Thanks for any ideas or > > > suggestions. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
Excellent! We'll try changing it here (and the possible combination of the
"net stop /y iisadmin") and see if it holds longer than a few days. Thanks you! [quoted text, click to view] "Ben Winzenz" <benwinzenz@NOSPAM.gardnerwhite.com> wrote in message
news:uYd$8LvzDHA.556@TK2MSFTNGP11.phx.gbl... > Go into Exchange System Manager and drill down to the http - Exchange > Virtual Server. Exchange and Public directories. Note that you cannot > modify the properties of the Exchange Virtual server itself - those must be > managed by IIS. However, if you are going to make authentication settings > changes, such as on the Exchange and Public virtual directories, you want to > do them here, not in IIS. Exchange will periodically refresh the IIS > Metabase with it's settings. If you set the authentication in IIS, rather > than in ESM, it will quite likely be overwritten by Exchange the next time > the settings are refreshed. > > -- > Ben Winzenz > Network Engineer > Gardner & White > > Exchange FAQ's: http://www.swinc.com/resource/exch_faq.htm > Exchange 2000 FAQ's: http://www.swinc.com/resource/e2kfaq.htm > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > news:eOkMD8uzDHA.536@tk2msftngp13.phx.gbl... > > We haven't been able to determine if and where Exchange might be setting > > Integrated Windows Authentication on other than in IIS. Does anyone know > IF > > Exchange is doing this, and if so, how to prevent it? Thanks! > > > > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > > news:ORA1MwpzDHA.560@TK2MSFTNGP11.phx.gbl... > > > If that's the case, then your problem is not the setting being lost. It > > > sounds like something elsewhere is intentionally turning it back on > > > (probably Exchange), so you want to configure Exchange (or however it > > wants > > > you to configure it) to not use Integrated Windows Authentication. > > > > > > -- > > > //David > > > IIS > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > // > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > message > > > news:%234V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl... > > > Okay, we've tried what you suggested, making the change to the virtual > > > directory and unchecking the "Integrated Windows Authentication" box, > and > > > then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it > > > successfully stops the service and all other dependant Exchange > services. > > > We start all of the services back up and the box remains unchecked. It > > > remained uncheck for the next 2 days, but then on the 3rd day it was > > checked > > > again automatically. Just a reminder, this is a Member Server running > > > Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange > > and > > > IIS services every night for offline backups. We are attempting to > change > > > this on a Virtual Directory, not the top level of the website. Is there > > > something we are missing? Thank you for your help. > > > > > > > > > > > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > > > news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > > > > Ok, I've described basically the same solution as Karl. Only > difference > > > is > > > > that I *know* that stopping IISADMIN will trigger the metabase flush. > > > > > > > > I'll describe what's going on. > > > > > > > > The basic problem is this: > > > > 1. When you make a configuration change to IIS via the UI, it is kept > in > > > > memory (since IIS will frequently take the change live) and NOT > > > immediately > > > > written to disk. > > > > 2. Later, IIS attempts to write the change to disk using an algorithm > to > > > > determine "idleness". > > > > 3. I've seen instances where "idleness" doesn't happen, so the changes > > are > > > > not written to disk after a given time period. This isn't exactly bad > > > since > > > > IIS will eventually write the change to disk when you stop the > IISADMIN > > > > service... but it's bad news if #4 happens... > > > > 4. Something manages to kill the IISADMIN service before IIS writes > the > > > > change. This can be an inproc ISAPI crashing, or using IISRESET and > IIS > > > > takes >30 seconds to restart (probably likely with Exchange as a > > > > dependency). When this happens, the unwritten changes are lost, and > > upon > > > > restart, you get the old settings. > > > > > > > > What you're describing is that somehow, #4 is happening prior to your > > > change > > > > being flushed to disk. Thus, you're losing your change. The way you > > work > > > > around this is to basically make the change and IMMEDIATELY cause a > > > metabase > > > > flush to disk to happen. Stopping the IISADMIN service is one way, > but > > > NOT > > > > using IISRESET. The sure way to do this is to type: > > > > NET STOP /y IISADMIN on the commandline > > > > > > > > With IIS6, what we changed was: > > > > 1. Give you a menu option to immediately save all configuration to > disk. > > > > 2. When you exit the UI, automatically initiate a flush to disk. > > > > > > > > We will probably never change this behavior on prior IIS versions > since > > > the > > > > change can be dangerous and cause other potential unknown problems. > > It's > > > > better to have a known problem and workaround than an unknown problem > > with > > > > an unknown workaround. > > > > > > > > -- > > > > //David > > > > IIS > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > // > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > > message > > > > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > > > > Yes, I believe this is a bug as well, I have seen several posts in > this > > > > newsgroup over the last several months with others having the same > > issue. > > > > Could the MS guy elaborate of what might be wrong or where to look for > > the > > > > source of the problem, what to fix? > > > > > > > > Our issue has been very inconsistent, we stop all web services during > > our > > > > offline Exchange backup every night. And even though we have > unchecked > > > the > > > > box for "Integreated Windows Authentication" it will sometimes stay > > > > unchecked when the web services are restarted but most of the time the > > box > > > > is rechecked automatically. > > > > > > > > Thanks Karl, I try what you have suggested. > > > > > > > > > > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > > > > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > > > > > This has been happening to me ever since 2001. I believe it's a > known > > > > bug, > > > > > possibly where the IIS Metabase isn't properly being saved on exit. > > > What > > > > I
If the setting is related to OWA or SMTP or NNTP, from experience is that
you need to configure in ESM rather than IIS MMC. If it's not, you should do it via IIS MMC. -- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> ???? news:OuI5B7hzDHA.1688@TK2MSFTNGP10.phx.gbl... [quoted text, click to view] > Well this is actually an IIS setting - and if you do anything related to
IIS > from the Exchange System Manager it tells you to use the IIS MMC Console. > Unless there is somewhere else we can make this change...? > > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message > news:e8HpkobzDHA.604@tk2msftngp13.phx.gbl... > > You might want to change Exchange related setting via System Manager. > > as when it start it might overwrite the setting configure in IIS MMC. > > > > -- > > Regards, > > Bernard Cheah > > http://support.microsoft.com/ > > Please respond to newsgroups only ... > > > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> ???? > > news:#4V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl... > > > Okay, we've tried what you suggested, making the change to the virtual > > > directory and unchecking the "Integrated Windows Authentication" box, > and > > > then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it > > > successfully stops the service and all other dependant Exchange > services. > > > We start all of the services back up and the box remains unchecked. It > > > remained uncheck for the next 2 days, but then on the 3rd day it was > > checked > > > again automatically. Just a reminder, this is a Member Server running > > > Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange > > and > > > IIS services every night for offline backups. We are attempting to > change > > > this on a Virtual Directory, not the top level of the website. Is there > > > something we are missing? Thank you for your help. > > > > > > > > > > > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > > > news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > > > > Ok, I've described basically the same solution as Karl. Only > difference > > > is > > > > that I *know* that stopping IISADMIN will trigger the metabase flush. > > > > > > > > I'll describe what's going on. > > > > > > > > The basic problem is this: > > > > 1. When you make a configuration change to IIS via the UI, it is kept > in > > > > memory (since IIS will frequently take the change live) and NOT > > > immediately > > > > written to disk. > > > > 2. Later, IIS attempts to write the change to disk using an algorithm > to > > > > determine "idleness". > > > > 3. I've seen instances where "idleness" doesn't happen, so the changes > > are > > > > not written to disk after a given time period. This isn't exactly bad > > > since > > > > IIS will eventually write the change to disk when you stop the > IISADMIN > > > > service... but it's bad news if #4 happens... > > > > 4. Something manages to kill the IISADMIN service before IIS writes > the > > > > change. This can be an inproc ISAPI crashing, or using IISRESET and > IIS > > > > takes >30 seconds to restart (probably likely with Exchange as a > > > > dependency). When this happens, the unwritten changes are lost, and > > upon > > > > restart, you get the old settings. > > > > > > > > What you're describing is that somehow, #4 is happening prior to your > > > change > > > > being flushed to disk. Thus, you're losing your change. The way you > > work > > > > around this is to basically make the change and IMMEDIATELY cause a > > > metabase > > > > flush to disk to happen. Stopping the IISADMIN service is one way, > but > > > NOT > > > > using IISRESET. The sure way to do this is to type: > > > > NET STOP /y IISADMIN on the commandline > > > > > > > > With IIS6, what we changed was: > > > > 1. Give you a menu option to immediately save all configuration to > disk. > > > > 2. When you exit the UI, automatically initiate a flush to disk. > > > > > > > > We will probably never change this behavior on prior IIS versions > since > > > the > > > > change can be dangerous and cause other potential unknown problems. > > It's > > > > better to have a known problem and workaround than an unknown problem > > with > > > > an unknown workaround. > > > > > > > > -- > > > > //David > > > > IIS > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > // > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > > message > > > > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > > > > Yes, I believe this is a bug as well, I have seen several posts in > this > > > > newsgroup over the last several months with others having the same > > issue. > > > > Could the MS guy elaborate of what might be wrong or where to look for > > the > > > > source of the problem, what to fix? > > > > > > > > Our issue has been very inconsistent, we stop all web services during > > our > > > > offline Exchange backup every night. And even though we have > unchecked > > > the > > > > box for "Integreated Windows Authentication" it will sometimes stay > > > > unchecked when the web services are restarted but most of the time the > > box > > > > is rechecked automatically. > > > > > > > > Thanks Karl, I try what you have suggested. > > > > > > > > > > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > > > > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > > > > > This has been happening to me ever since 2001. I believe it's a > known > > > > bug, > > > > > possibly where the IIS Metabase isn't properly being saved on exit. > > > What > > > > I > > > > > was able to do is make that change AND ONLY that one change in one > > > place, > > > > > and then right-click to stop and restart the web server instance > > [and/or > > > > > stop and restart the WWW service in Windows]. Then immediately go > > back > > > > into > > > > > IIS and confirm that the setting is still there. If it is, you > should > > > be > > > > > OK. > > > > > > > > > > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > > > message > > > > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > > > > > Is there a way to permanently turn off Integrated Windows > > > Authentication > > > > > on > > > > > > Windows 2000 SP4 IIS 5.0? > > > > > > > > > > > > > > > > > > > > > > > > We know that you can uncheck the box for it on the Properties for > > that > > > > > > specific virtual directory under Authentication Methods, but every > > > time > > > > > the > > > > > > server is rebooted or if the IIS Admin Service is restarted it > > > > > automatically > > > > > > checks that box back on. > > > > > >
Go into Exchange System Manager and drill down to the http - Exchange
Virtual Server. Exchange and Public directories. Note that you cannot modify the properties of the Exchange Virtual server itself - those must be managed by IIS. However, if you are going to make authentication settings changes, such as on the Exchange and Public virtual directories, you want to do them here, not in IIS. Exchange will periodically refresh the IIS Metabase with it's settings. If you set the authentication in IIS, rather than in ESM, it will quite likely be overwritten by Exchange the next time the settings are refreshed. -- Ben Winzenz Network Engineer Gardner & White Exchange FAQ's: http://www.swinc.com/resource/exch_faq.htm Exchange 2000 FAQ's: http://www.swinc.com/resource/e2kfaq.htm [quoted text, click to view] "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:eOkMD8uzDHA.536@tk2msftngp13.phx.gbl... > We haven't been able to determine if and where Exchange might be setting > Integrated Windows Authentication on other than in IIS. Does anyone know IF > Exchange is doing this, and if so, how to prevent it? Thanks! > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:ORA1MwpzDHA.560@TK2MSFTNGP11.phx.gbl... > > If that's the case, then your problem is not the setting being lost. It > > sounds like something elsewhere is intentionally turning it back on > > (probably Exchange), so you want to configure Exchange (or however it > wants > > you to configure it) to not use Integrated Windows Authentication. > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > > news:%234V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl... > > Okay, we've tried what you suggested, making the change to the virtual > > directory and unchecking the "Integrated Windows Authentication" box, and > > then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it > > successfully stops the service and all other dependant Exchange services. > > We start all of the services back up and the box remains unchecked. It > > remained uncheck for the next 2 days, but then on the 3rd day it was > checked > > again automatically. Just a reminder, this is a Member Server running > > Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all Exchange > and > > IIS services every night for offline backups. We are attempting to change > > this on a Virtual Directory, not the top level of the website. Is there > > something we are missing? Thank you for your help. > > > > > > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > > news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > > > Ok, I've described basically the same solution as Karl. Only difference > > is > > > that I *know* that stopping IISADMIN will trigger the metabase flush. > > > > > > I'll describe what's going on. > > > > > > The basic problem is this: > > > 1. When you make a configuration change to IIS via the UI, it is kept in > > > memory (since IIS will frequently take the change live) and NOT > > immediately > > > written to disk. > > > 2. Later, IIS attempts to write the change to disk using an algorithm to > > > determine "idleness". > > > 3. I've seen instances where "idleness" doesn't happen, so the changes > are > > > not written to disk after a given time period. This isn't exactly bad > > since > > > IIS will eventually write the change to disk when you stop the IISADMIN > > > service... but it's bad news if #4 happens... > > > 4. Something manages to kill the IISADMIN service before IIS writes the > > > change. This can be an inproc ISAPI crashing, or using IISRESET and IIS > > > takes >30 seconds to restart (probably likely with Exchange as a > > > dependency). When this happens, the unwritten changes are lost, and > upon > > > restart, you get the old settings. > > > > > > What you're describing is that somehow, #4 is happening prior to your > > change > > > being flushed to disk. Thus, you're losing your change. The way you > work > > > around this is to basically make the change and IMMEDIATELY cause a > > metabase > > > flush to disk to happen. Stopping the IISADMIN service is one way, but > > NOT > > > using IISRESET. The sure way to do this is to type: > > > NET STOP /y IISADMIN on the commandline > > > > > > With IIS6, what we changed was: > > > 1. Give you a menu option to immediately save all configuration to disk. > > > 2. When you exit the UI, automatically initiate a flush to disk. > > > > > > We will probably never change this behavior on prior IIS versions since > > the > > > change can be dangerous and cause other potential unknown problems. > It's > > > better to have a known problem and workaround than an unknown problem > with > > > an unknown workaround. > > > > > > -- > > > //David > > > IIS > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > // > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > message > > > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > > > Yes, I believe this is a bug as well, I have seen several posts in this > > > newsgroup over the last several months with others having the same > issue. > > > Could the MS guy elaborate of what might be wrong or where to look for > the > > > source of the problem, what to fix? > > > > > > Our issue has been very inconsistent, we stop all web services during > our > > > offline Exchange backup every night. And even though we have unchecked > > the > > > box for "Integreated Windows Authentication" it will sometimes stay > > > unchecked when the web services are restarted but most of the time the > box > > > is rechecked automatically. > > > > > > Thanks Karl, I try what you have suggested. > > > > > > > > > "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message > > > news:%2349xah9xDHA.2116@TK2MSFTNGP11.phx.gbl... > > > > This has been happening to me ever since 2001. I believe it's a known > > > bug, > > > > possibly where the IIS Metabase isn't properly being saved on exit. > > What > > > I > > > > was able to do is make that change AND ONLY that one change in one > > place, > > > > and then right-click to stop and restart the web server instance > [and/or > > > > stop and restart the WWW service in Windows]. Then immediately go > back > > > into > > > > IIS and confirm that the setting is still there. If it is, you should > > be > > > > OK. > > > > > > > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > > message > > > > news:eDXqDrnxDHA.2436@TK2MSFTNGP09.phx.gbl... > > > > > Is there a way to permanently turn off Integrated Windows > > Authentication > > > > on
Don't stop the iisadmin service! The Exchange services depend on IIS. If
you stop the IISadmin service, it will stop many of the Exchange services as well! -- Ben Winzenz Network Engineer Gardner & White Exchange FAQ's: http://www.swinc.com/resource/exch_faq.htm Exchange 2000 FAQ's: http://www.swinc.com/resource/e2kfaq.htm [quoted text, click to view] "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:eMH$h6vzDHA.2160@TK2MSFTNGP12.phx.gbl... > Excellent! We'll try changing it here (and the possible combination of the > "net stop /y iisadmin") and see if it holds longer than a few days. Thanks > you! > > > "Ben Winzenz" <benwinzenz@NOSPAM.gardnerwhite.com> wrote in message > news:uYd$8LvzDHA.556@TK2MSFTNGP11.phx.gbl... > > Go into Exchange System Manager and drill down to the http - Exchange > > Virtual Server. Exchange and Public directories. Note that you cannot > > modify the properties of the Exchange Virtual server itself - those must > be > > managed by IIS. However, if you are going to make authentication settings > > changes, such as on the Exchange and Public virtual directories, you want > to > > do them here, not in IIS. Exchange will periodically refresh the IIS > > Metabase with it's settings. If you set the authentication in IIS, rather > > than in ESM, it will quite likely be overwritten by Exchange the next time > > the settings are refreshed. > > > > -- > > Ben Winzenz > > Network Engineer > > Gardner & White > > > > Exchange FAQ's: http://www.swinc.com/resource/exch_faq.htm > > Exchange 2000 FAQ's: http://www.swinc.com/resource/e2kfaq.htm > > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message > > news:eOkMD8uzDHA.536@tk2msftngp13.phx.gbl... > > > We haven't been able to determine if and where Exchange might be setting > > > Integrated Windows Authentication on other than in IIS. Does anyone > know > > IF > > > Exchange is doing this, and if so, how to prevent it? Thanks! > > > > > > > > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > > > news:ORA1MwpzDHA.560@TK2MSFTNGP11.phx.gbl... > > > > If that's the case, then your problem is not the setting being lost. > It > > > > sounds like something elsewhere is intentionally turning it back on > > > > (probably Exchange), so you want to configure Exchange (or however it > > > wants > > > > you to configure it) to not use Integrated Windows Authentication. > > > > > > > > -- > > > > //David > > > > IIS > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > // > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > > message > > > > news:%234V3VRXzDHA.2680@TK2MSFTNGP11.phx.gbl... > > > > Okay, we've tried what you suggested, making the change to the virtual > > > > directory and unchecking the "Integrated Windows Authentication" box, > > and > > > > then immediately run "NET STOP /y IISADMIN" from a Cmd Prompt, it > > > > successfully stops the service and all other dependant Exchange > > services. > > > > We start all of the services back up and the box remains unchecked. > It > > > > remained uncheck for the next 2 days, but then on the 3rd day it was > > > checked > > > > again automatically. Just a reminder, this is a Member Server running > > > > Windows 2000 SP4 and Exchange 2000 Post-SP3, we stop/start all > Exchange > > > and > > > > IIS services every night for offline backups. We are attempting to > > change > > > > this on a Virtual Directory, not the top level of the website. Is > there > > > > something we are missing? Thank you for your help. > > > > > > > > > > > > > > > > > > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > > > > news:OdijbuSyDHA.2508@TK2MSFTNGP12.phx.gbl... > > > > > Ok, I've described basically the same solution as Karl. Only > > difference > > > > is > > > > > that I *know* that stopping IISADMIN will trigger the metabase > flush. > > > > > > > > > > I'll describe what's going on. > > > > > > > > > > The basic problem is this: > > > > > 1. When you make a configuration change to IIS via the UI, it is > kept > > in > > > > > memory (since IIS will frequently take the change live) and NOT > > > > immediately > > > > > written to disk. > > > > > 2. Later, IIS attempts to write the change to disk using an > algorithm > > to > > > > > determine "idleness". > > > > > 3. I've seen instances where "idleness" doesn't happen, so the > changes > > > are > > > > > not written to disk after a given time period. This isn't exactly > bad > > > > since > > > > > IIS will eventually write the change to disk when you stop the > > IISADMIN > > > > > service... but it's bad news if #4 happens... > > > > > 4. Something manages to kill the IISADMIN service before IIS writes > > the > > > > > change. This can be an inproc ISAPI crashing, or using IISRESET and > > IIS > > > > > takes >30 seconds to restart (probably likely with Exchange as a > > > > > dependency). When this happens, the unwritten changes are lost, and > > > upon > > > > > restart, you get the old settings. > > > > > > > > > > What you're describing is that somehow, #4 is happening prior to > your > > > > change > > > > > being flushed to disk. Thus, you're losing your change. The way > you > > > work > > > > > around this is to basically make the change and IMMEDIATELY cause a > > > > metabase > > > > > flush to disk to happen. Stopping the IISADMIN service is one way, > > but > > > > NOT > > > > > using IISRESET. The sure way to do this is to type: > > > > > NET STOP /y IISADMIN on the commandline > > > > > > > > > > With IIS6, what we changed was: > > > > > 1. Give you a menu option to immediately save all configuration to > > disk. > > > > > 2. When you exit the UI, automatically initiate a flush to disk. > > > > > > > > > > We will probably never change this behavior on prior IIS versions > > since > > > > the > > > > > change can be dangerous and cause other potential unknown problems. > > > It's > > > > > better to have a known problem and workaround than an unknown > problem > > > with > > > > > an unknown workaround. > > > > > > > > > > -- > > > > > //David > > > > > IIS > > > > > This posting is provided "AS IS" with no warranties, and confers no > > > > rights. > > > > > // > > > > > "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in > > > message > > > > > news:uOPN55JyDHA.1736@TK2MSFTNGP09.phx.gbl... > > > > > Yes, I believe this is a bug as well, I have seen several posts in > > this > > > > > newsgroup over the last several months with others having the same > > > issue. > > > > > Could the MS guy elaborate of what might be wrong or where to look > for > > > the > > > > > source of the problem, what to fix? > > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |