I'm trying once again to set up IISADMPWD (.asp scripts) on a Win2k
server.

I've got an SSL cert for the web site, but permit browsing of the site
via either HTTP or HTTPS.

When (whatever mechanism is called into play and displays the
IISADMPWD scripts) attempts to display one of the asp templates I get
an error 403.4 - The page must be viewed over a secure channel.

In the web site's metabase configuration I have PasswordChangeFlags
set to 1, which should permit the dialog over a non-secure channel.
If I change the flags to 0, which I intend to do eventually, I get the
same error. I would have expected:

a) that if flags=1 it should not require a secure channel, and
b) that if flags=0 and a secure channel is required, it would
automatically display the page using HTTPS

I don't want my (very confused) users to recieve this error, then have
to add the "S" to the URL displayed in their browsers.

When you either GET or SET the value in the metabase, are you setting it at
the global level and/or at the site level?

In line with KB article 269082, perhaps keep in mind that the
PasswordChangeFlags entry is found in at least two places in the metabase.

adsutil.vbs GET w3svc/PasswordChangeFlags

and

adsutil.vbs GET w3svc/1/PasswordChangeFlags

If one of them is set to 2 or 3, then perhaps that shows the problem.

Hope that helps,

Chris - IISTeam

On Mon, 29 Dec 2003 19:17:01 GMT, a-chaun@NOSPAMmicrosoft.com
[quoted text, click to view]


Actually, I deleted the parent entry in the metabase that was marked
inheritable and then created the flags entry at the virtual server
level. The setting for the default web site was also deleted, but
should have no effect either way.

I corrected the immediate problem, but I'm unsure exactly why. I
re-created the virtual directory IISADMPWD and it appears to function
properly now. The problem may have stemmed from when I'd recently
installed an SSL cert for the virtual server and then had marked the
entire virtual server as browsable only via HTTPS. I cleared that
setting, but apparently the IISADMPWD virtual directory held onto the
setting and thus wasn't permitting any browsing via HTTP.

The problem I have now is that it calls up the correct template (there
appears to be an SSL and a non-SSL template for each scenario -
expired password, due to expire, etc.) but it's not calling the
template via HTTPS as directed by PasswordChangeFlags=0. The code
within the template itself looks as though it's designed to catch
this, but it isn't' working and the template is served via HTTP.

BTW, the hand full of .asp templates that comprise IISADMPWD are so
poorly written that they appear to have been coded by a high school
intern while his supervisor was out of town. How can this code have
actually have been released by Microsoft in response to a fix for a
security problem? It's mind boggling.