| Groups | Blog | Home |
iis security : Can't make a domain user the "anonymous access" user
I have been trying to set up a website in IIS 6 so that a
domain user account is used for anonymous access, instead of IUSR_SERVERNAME. (I am doing this because we have ASP scripts that need to connect to a datasource as this domain user.) Unfortunately, it doesn't work. I can set it up so that a local account is used for anonymous access -- I created a local "test" account just to make sure I was setting all the permissions right, and it worked fine. But if I use a domain account instead, I am prompted for a username and password whenever I access a web page. I know the domain account is valid and the password is right, and the NTFS permissions allow this user access. If I log in with this username/password when I am prompted, I can view the page. But for some reason, IIS just doesn't seem to recognize this domain user as the "anonymous access" user.
I do not think this is an IIS issue. I think you have some setting within
your domain's policy that is preventing this. It's working just fine for me. IIS just uses the username/password you set and call LogonUser with it -- the same thing that you do when you are prompted. Based on your description, you have both Anonymous and some other authentication protocol enabled -- you may want to check on that since what happens when a user authenticates (so not using your custom anonymous user) and accesses the ASP page... and that user does not have database rights. There is no such thing as "almost correct" security configuration -- you need to configure it absolutely correct to have 100% intended behavior. I want to know: 1. what authentication protocols are enabled for the ASP page in question (anon, basic, Integrated, etc) 2. Are you using default or custom AppPool Identity for the Application Pool containing this ASP page 3. What are the web log entries for the request that is failing. In particular, give the HTTP status/sub-status as well as Win32 error codes. It will make it clear whether the problem is: a. You entered the wrong anonymous username/password in configuration b. The domain policy is restricting the username c. The authenticated user is denied ACLs to the resource d. etc I would then enable Security Auditing and see what is causing anonymous login to fail, and go from there. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jen Roth" <anonymous@discussions.microsoft.com> wrote in message I have been trying to set up a website in IIS 6 so that anews:2261501c45d51$a6b52500$a301280a@phx.gbl... domain user account is used for anonymous access, instead of IUSR_SERVERNAME. (I am doing this because we have ASP scripts that need to connect to a datasource as this domain user.) Unfortunately, it doesn't work. I can set it up so that a local account is used for anonymous access -- I created a local "test" account just to make sure I was setting all the permissions right, and it worked fine. But if I use a domain account instead, I am prompted for a username and password whenever I access a web page. I know the domain account is valid and the password is right, and the NTFS permissions allow this user access. If I log in with this username/password when I am prompted, I can view the page. But for some reason, IIS just doesn't seem to recognize this domain user as the "anonymous access" user. Can anyone help?
Thanks for your response.
[quoted text, click to view] >I want to know: >1. what authentication protocols are enabled for the ASP page in=20 question >(anon, basic, Integrated, etc) I have tried both with and without Integrated authentication enabled. =20 When it's enabled, I get a login prompt if I am using an NTLM-capable=20 browser (IE, Mozilla). I can then authenticate using the domain account = in question. Or, if I hit "cancel", I get a 401.1 error. When it's not = enabled, or if I'm using a browser that can't do NTLM, the attempt to=20 view the page just fails with the 401.1 error. [quoted text, click to view] >2. Are you using default or custom AppPool Identity for the Application = Pool containing this ASP page Default.=20 [quoted text, click to view] >3. What are the web log entries for the request that is failing. In codes.>particular, give the HTTP status/sub-status as well as Win32 error=20 I'm getting "Error 401.1 - Unauthorized: Access is denied due to invalid = credentials." (It just says "401" in the web log.) I'm just not sure = *why*=20 the credentials are invalid. As I said, I can enter the same=20 domain\username and password at the prompt and view the page. I=20 even tried using my own domain account -- one I use to log onto this=20 computer every single day -- and got the same error. In the Event Viewer, I see Event ID 537:=20 User: NT AUTHORITY\SYSTEM Logon Failure: Reason: An error occurred during login. User Name: <my domain user> Domain: <my domain> Logon Type: 3 Logon Process: IIS etc. [quoted text, click to view] >I would then enable Security Auditing and see what is causing=20
anonymous >login to fail, and go from there. > >--=20 >//David >IIS >This posting is provided "AS IS" with no warranties, and confers no=20 rights. >// >"Jen Roth" <anonymous@discussions.microsoft.com> wrote in=20 message >news:2261501c45d51$a6b52500$a301280a@phx.gbl... >I have been trying to set up a website in IIS 6 so that a >domain user account is used for anonymous access, instead >of IUSR_SERVERNAME. (I am doing this because we have ASP >scripts that need to connect to a datasource as this domain >user.) Unfortunately, it doesn't work. I can set it up so >that a local account is used for anonymous access -- I >created a local "test" account just to make sure I was >setting all the permissions right, and it worked fine. But >if I use a domain account instead, I am prompted for a >username and password whenever I access a web page. I know >the domain account is valid and the password is right, and >the NTFS permissions allow this user access. If I log in >with this username/password when I am prompted, I can view >the page. But for some reason, IIS just doesn't seem to >recognize this domain user as the "anonymous access" user. > Can anyone help? > > >.
1. No. please tell me what you actually have enabled, not what you tried to
toggle. When dealing with authentication issues it is VERY important to isolate EXACTLY what authentication protocol you are using. I recommend either using ONLY Anonymous, or ONLY Integrated. Not both at the same time, and not with any other. When you isolate, you are CERTAIN what protocol is being used on the request and thus the expected outcome. Otherwise, you need to give me a network trace of the browser/server traffic so that I can determine what exact protocol was finally negotiated and used. Some of the things you claim is not consistent with a default IIS installation: - When Integrated authentication is used, you should not see a dialog box unless the auto-authentication between the browser and server failed. This can happen if the username/password is repeatedly deemed incorrect, or something is running on the server that is erroneously sending 401 access denied. - If you use a browser that cannot do NTLM, by definition, a 401.2 error is returned. IIS will not return 401.1. Now, if you swear that IIS IS returning 401.1 with a vdir configured with ONLY Integrated authentication AND you used a browser that doesn't support NTLM, that is a sign that you have something else custom (ISAPI Filter or ISAPI Extension) running on your server that is broken, and you'll need to fix that yourself. It is not an IIS issue but an issue with the custom ISAPI. 3. No. IIS6 logs, by default, will contain the status, substatus, and Win32 error codes -- unless you've customized the log format. I want all three pieces of information. If I understand the last bit of info from you correctly, you're saying that: 1. If the vdir has ONLY anonymous enabled AND you configure the anonymous user as yourself, it still comes back as 401.1 2. If the vdir has ONLY Integrated enabled, you end up with a login dialog, and after giving your own credentials, it works Note -- none of what you describe is expected behavior, and I just do not see what you are claiming with my IIS6 using a domain user as anonymous user -- it simply works for me -- just installed IIS6, joined a domain, changed the anonymous user, and made an anonymous request. Thus, I think you either have some ISAPI running on the server that is modifying behavior, or it has something to do with your domain's group policy modifying user privileges on the server. Security Audit is the way to go there. That, and use secpol.msc to enumerate all the privileges held by the local anonymous user account that works and your domain account that does not. In either case, I do not think your problems lie with IIS but elsewhere. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jen Roth" <anonymous@discussions.microsoft.com> wrote in message Thanks for your response.news:223ce01c45da5$1d994ef0$a601280a@phx.gbl... [quoted text, click to view] >I want to know: >1. what authentication protocols are enabled for the ASP page in question >(anon, basic, Integrated, etc) I have tried both with and without Integrated authentication enabled. When it's enabled, I get a login prompt if I am using an NTLM-capable browser (IE, Mozilla). I can then authenticate using the domain account in question. Or, if I hit "cancel", I get a 401.1 error. When it's not enabled, or if I'm using a browser that can't do NTLM, the attempt to view the page just fails with the 401.1 error. [quoted text, click to view] >2. Are you using default or custom AppPool Identity for the Application Pool containing this ASP pageDefault. [quoted text, click to view] >3. What are the web log entries for the request that is failing. In codes.>particular, give the HTTP status/sub-status as well as Win32 error I'm getting "Error 401.1 - Unauthorized: Access is denied due to invalid credentials." (It just says "401" in the web log.) I'm just not sure *why* the credentials are invalid. As I said, I can enter the same domain\username and password at the prompt and view the page. I even tried using my own domain account -- one I use to log onto this computer every single day -- and got the same error. In the Event Viewer, I see Event ID 537: User: NT AUTHORITY\SYSTEM Logon Failure: Reason: An error occurred during login. User Name: <my domain user> Domain: <my domain> Logon Type: 3 Logon Process: IIS etc. [quoted text, click to view] >I would then enable Security Auditing and see what is causing anonymous >login to fail, and go from there. > >-- >//David >IIS >This posting is provided "AS IS" with no warranties, and confers no rights. >// >"Jen Roth" <anonymous@discussions.microsoft.com> wrote in message >news:2261501c45d51$a6b52500$a301280a@phx.gbl... >I have been trying to set up a website in IIS 6 so that a >domain user account is used for anonymous access, instead >of IUSR_SERVERNAME. (I am doing this because we have ASP >scripts that need to connect to a datasource as this domain >user.) Unfortunately, it doesn't work. I can set it up so >that a local account is used for anonymous access -- I >created a local "test" account just to make sure I was >setting all the permissions right, and it worked fine. But >if I use a domain account instead, I am prompted for a >username and password whenever I access a web page. I know >the domain account is valid and the password is right, and >the NTFS permissions allow this user access. If I log in >with this username/password when I am prompted, I can view >the page. But for some reason, IIS just doesn't seem to >recognize this domain user as the "anonymous access" user. > Can anyone help? > > >. >
I found what the problem was. I had missed this before,
but the server was running in IIS 5.0 isolation mode. When
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |