I'm having a problem connecting anonymously to an IIS6 Web Server.

- Server is Windows 2003, IIS6
- Server is a domain controller
- IUSR_SERVERNAME account has permissions to access c:\wwwroot
- IUSR_SERVERNAME account is a member of IIS_WPG
- IUSR_SERVERNAME account has permission to log on locally and as a batch job
- IIS Anonymous authentication is enabled with username IUSR_SERVERNAME

When I try to navigate to a website on the server from a client, IE prompts
for credentials.

The server event log has a Failure Audit error message as follows:

The user has not been granted the specified logon type at this machine.
....
Username: IUSR_SERVERNAME
Domain: <domain name>
Logon Type: 8
....

(I think logon type 8 is NETWORK_CLEARTEXT).

So it seems anonymous authentication is enabled, but is failing because the
IUSR_ account can't log in.

I suspect it's something to do with the security policy.

Any suggestions for how to troubleshoot this?

Thanks in advance,

Joe

[quoted text, click to view]

Thanks, that's the problem.

The IUSR account is listed under the "Access this computer from the network"
policy, but is a member of the "Guests" group which is listed under "Deny
access to this computer from the network".

It looks like the "Deny" policy via its "Guests" membership trumps the
"Allow" policy, which makes perfect sense. I tried removing IUSR from Guests
and it works.

I'll have to talk to our administrators to decide what to do about this.

On Fri, 3 Dec 2004 08:11:01 -0800, Joe <Joe@discussions.microsoft.com>
[quoted text, click to view]

Make sure the IUSR account has Logon From Network rights, necessary on
Domain Controllers since the IUSR account is not a local account on a
DC.