| Groups | Blog | Home |
iis security : Windows 2000 IIS Logon issue
enabled Basic authentication and added the local domain to the default domain setting. When I log in using just my logon name, access is denied and the following is logged in the Security event log: Security/Account Logon/EventID 681: The logon to account: <deleted> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: <deleted> failed. The error code was: 3221225572 The error codes indicates that the user does not exist??? If I enter the logon name in the DOMAIN\USERNAME style, everything works as intended. Question is; Why is IIS ignoring my default domain setting, and how do I get this to work as intended? Regards; /jb
Hi Jonny,
Looks like the default logon domain setting for Basic auth hasn't taken effect. Please do not click 'browse' to select your domain but simply input your domain name(just the same as the prefix of <domain>\<username> without '\') in the 'Domain Name' textbox. Also, please make sure there isn't other authentication selected, only choose Basic. After the changes, run iisreset command to restart IIS and browse to the site to test again. Please let us know if the problem still persists. Best regards, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
Do you have any of the other authentication mechanisms checked? Or only
basic? Cheers Ken [quoted text, click to view] "Jonny Bergdahl" <jonnybergdahl@newsgroups.nospam> wrote in message news:%23htijj6fEHA.3320@TK2MSFTNGP11.phx.gbl... >I have a web with a section of it setup to require a password. I have > enabled Basic authentication and added the local domain to the default > domain setting. > > When I log in using just my logon name, access is denied and the following > is logged in the Security event log: > Security/Account Logon/EventID 681: > The logon to account: <deleted> > by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > from workstation: <deleted> > failed. The error code was: 3221225572 > > The error codes indicates that the user does not exist??? > > If I enter the logon name in the DOMAIN\USERNAME style, everything works > as > intended. > > Question is; Why is IIS ignoring my default domain setting, and how do I > get > this to work as intended? > > Regards; > /jb > >
[quoted text, click to view]
> taken effect. Please do not click 'browse' to select your domain but > simply input your domain name(just the same as the prefix of > <domain>\<username> without '\') in the 'Domain Name' textbox. Also, I have verified that the domain name is entered correctly, and the machine has been completely rebooted since the settings were made. It works when autentication is made over NTML, but not when using Basic. This is the result when running Wfetch (Basic, only User and Passwd set): REQUEST: **************\n GET /templates/Home.asp?id=2213 HTTP/1.0\r\n Host: 10.1.2.19\r\n Accept: */*\r\n Connection: Keep-Alive\r\n Authorization: Basic <xxxx>\r\n \r\n RESPONSE: **************\n HTTP/1.1 401 Unauthorized\r\n Via: 1.1 FIREWALL\r\n Connection: close\r\n Proxy-Support: Session-Based-Authentication\r\n Connection: Proxy-Support\r\n Expires: Fri, 04 Jun 2004 00:26:29 GMT\r\n Date: Thu, 12 Aug 2004 11:06:29 GMT\r\n Content-Type: text/html\r\n Server: Microsoft-IIS/5.0\r\n WWW-Authenticate: Negotiate\r\n WWW-Authenticate: NTLM\r\n WWW-Authenticate: Basic realm="10.1.2.19"\r\n Pragma: no-cache\r\n Set-Cookie: loggedon=1; path=/\r\n Cache-control: no-store\r\n \r\n This is the result when running Wfetch (Basic, Domain, User and Passwd set): REQUEST: **************\n GET /templates/Home.asp?id=2213 HTTP/1.0\r\n Host: 10.1.2.19\r\n Accept: */*\r\n Connection: Keep-Alive\r\n Authorization: Basic <xxxx>\r\n \r\n RESPONSE: **************\n HTTP/1.1 200 OK\r\n Via: 1.1 FIREWALL\r\n Connection: Keep-Alive\r\n Proxy-Connection: Keep-Alive\r\n Content-Length: 5524\r\n Expires: Fri, 04 Jun 2004 00:31:11 GMT\r\n Date: Thu, 12 Aug 2004 11:11:11 GMT\r\n Content-Type: text/html\r\n Server: Microsoft-IIS/5.0\r\n Pragma: no-cache\r\n Set-Cookie: loggedon=1; path=/\r\n Cache-control: no-store\r\n \r\n For comparision (NTML, only User and Passwd set): REQUEST: **************\n GET /templates/Home.asp?id=2213 HTTP/1.0\r\n Host: 10.1.2.19\r\n Accept: */*\r\n Connection: Keep-Alive\r\n Authorization: NTLM <xxxxx>\r\n \r\n RESPONSE: **************\n HTTP/1.1 401 Access Denied\r\n Via: 1.1 FIREWALL\r\n Connection: Keep-Alive\r\n Proxy-Support: Session-Based-Authentication\r\n Connection: Proxy-Support\r\n Content-Length: 24\r\n Date: Thu, 12 Aug 2004 11:08:22 GMT\r\n Content-Type: text/html\r\n Server: Microsoft-IIS/5.0\r\n WWW-Authenticate: NTLM <xxxxx>\r\n \r\n SEC_E_OK - InitializeSecurityContext\n Error: Access is Denied. REQUEST: **************\n GET /templates/Home.asp?id=2213 HTTP/1.0\r\n Host: 10.1.2.19\r\n Accept: */*\r\n Connection: Keep-Alive\r\n Authorization: NTLM <xxxxx>\r\n \r\n RESPONSE: **************\n HTTP/1.1 200 OK\r\n Via: 1.1 FIREWALL\r\n Connection: Keep-Alive\r\n Proxy-Connection: Keep-Alive\r\n Content-Length: 5524\r\n Expires: Fri, 04 Jun 2004 00:28:22 GMT\r\n Date: Thu, 12 Aug 2004 11:08:22 GMT\r\n Content-Type: text/html\r\n Server: Microsoft-IIS/5.0\r\n Pragma: no-cache\r\n Set-Cookie: loggedon=1; path=/\r\n Cache-control: no-store\r\n \r\n Please advice. Regards; /jb
Hi Jonny,
Integrated authentication doesn't work with the default logon domain setting. So if you can login the site via NTLM without input the <domain>\ prefix, it means you should have a local account with the same username and password on this IIS server. You can check if there is the local account on this box. Also, a general reason for an account NTLM auth works but Basic not is the account doesn't have 'log on locally' permission in GPO(i.e local security policy). 'Log on locally' is required by Basic but not required by NTLM because one is CLEARTEXT logon type and the other is NETWORK logon. Best regards, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
Hi,
Can you see this header? WWW-Authenticate: Basic realm="10.1.2.19" The "realm" should list your domain. 10.1.2.19 is not a Windows domain. A Windows domain should be the NetBIOS name of the domain in question. Cheers Ken [quoted text, click to view] "Jonny Bergdahl" <jonnybergdahl@newsgroups.nospam> wrote in message news:%23Qqkt1FgEHA.2536@TK2MSFTNGP09.phx.gbl... >> taken effect. Please do not click 'browse' to select your domain but >> simply input your domain name(just the same as the prefix of >> <domain>\<username> without '\') in the 'Domain Name' textbox. Also, > > I have verified that the domain name is entered correctly, and the machine > has been completely rebooted since the settings were made. It works when > autentication is made over NTML, but not when using Basic. > > This is the result when running Wfetch (Basic, only User and Passwd set): > REQUEST: **************\n > GET /templates/Home.asp?id=2213 HTTP/1.0\r\n > Host: 10.1.2.19\r\n > Accept: */*\r\n > Connection: Keep-Alive\r\n > Authorization: Basic <xxxx>\r\n > \r\n > RESPONSE: **************\n > HTTP/1.1 401 Unauthorized\r\n > Via: 1.1 FIREWALL\r\n > Connection: close\r\n > Proxy-Support: Session-Based-Authentication\r\n > Connection: Proxy-Support\r\n > Expires: Fri, 04 Jun 2004 00:26:29 GMT\r\n > Date: Thu, 12 Aug 2004 11:06:29 GMT\r\n > Content-Type: text/html\r\n > Server: Microsoft-IIS/5.0\r\n > WWW-Authenticate: Negotiate\r\n > WWW-Authenticate: NTLM\r\n > WWW-Authenticate: Basic realm="10.1.2.19"\r\n > Pragma: no-cache\r\n > Set-Cookie: loggedon=1; path=/\r\n > Cache-control: no-store\r\n > \r\n > > This is the result when running Wfetch (Basic, Domain, User and Passwd > set): > REQUEST: **************\n > GET /templates/Home.asp?id=2213 HTTP/1.0\r\n > Host: 10.1.2.19\r\n > Accept: */*\r\n > Connection: Keep-Alive\r\n > Authorization: Basic <xxxx>\r\n > \r\n > RESPONSE: **************\n > HTTP/1.1 200 OK\r\n > Via: 1.1 FIREWALL\r\n > Connection: Keep-Alive\r\n > Proxy-Connection: Keep-Alive\r\n > Content-Length: 5524\r\n > Expires: Fri, 04 Jun 2004 00:31:11 GMT\r\n > Date: Thu, 12 Aug 2004 11:11:11 GMT\r\n > Content-Type: text/html\r\n > Server: Microsoft-IIS/5.0\r\n > Pragma: no-cache\r\n > Set-Cookie: loggedon=1; path=/\r\n > Cache-control: no-store\r\n > \r\n > > For comparision (NTML, only User and Passwd set): > REQUEST: **************\n > GET /templates/Home.asp?id=2213 HTTP/1.0\r\n > Host: 10.1.2.19\r\n > Accept: */*\r\n > Connection: Keep-Alive\r\n > Authorization: NTLM <xxxxx>\r\n > \r\n > RESPONSE: **************\n > HTTP/1.1 401 Access Denied\r\n > Via: 1.1 FIREWALL\r\n > Connection: Keep-Alive\r\n > Proxy-Support: Session-Based-Authentication\r\n > Connection: Proxy-Support\r\n > Content-Length: 24\r\n > Date: Thu, 12 Aug 2004 11:08:22 GMT\r\n > Content-Type: text/html\r\n > Server: Microsoft-IIS/5.0\r\n > WWW-Authenticate: NTLM <xxxxx>\r\n > \r\n > SEC_E_OK - InitializeSecurityContext\n > Error: Access is Denied. > REQUEST: **************\n > GET /templates/Home.asp?id=2213 HTTP/1.0\r\n > Host: 10.1.2.19\r\n > Accept: */*\r\n > Connection: Keep-Alive\r\n > Authorization: NTLM <xxxxx>\r\n > \r\n > RESPONSE: **************\n > HTTP/1.1 200 OK\r\n > Via: 1.1 FIREWALL\r\n > Connection: Keep-Alive\r\n > Proxy-Connection: Keep-Alive\r\n > Content-Length: 5524\r\n > Expires: Fri, 04 Jun 2004 00:28:22 GMT\r\n > Date: Thu, 12 Aug 2004 11:08:22 GMT\r\n > Content-Type: text/html\r\n > Server: Microsoft-IIS/5.0\r\n > Pragma: no-cache\r\n > Set-Cookie: loggedon=1; path=/\r\n > Cache-control: no-store\r\n > \r\n > > Please advice. > > Regards; > /jb > >
[quoted text, click to view]
> The "realm" should list your domain. 10.1.2.19 is not a Windows domain. A > Windows domain should be the NetBIOS name of the domain in question. Yes, I was wondering about that one as well. I can't find anywhere to enter it, and it seems that IIS actually takes this value from the HOST header in the request. Regards; /jb
Hi Jonny,
Have you checked the server's local SAM yet? Does the same local account exist? Best regards, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
[quoted text, click to view]
> Have you checked the server's local SAM yet? Does the same local > account exist? Yes, I have. There are no users defined locally, except for the ones that gets installed by default. We are running ISA Server to forward request from the internet, can this possibly make any difference? Regards; /jb
[quoted text, click to view]
> Integrated authentication doesn't work with the default logon domain > setting. So if you can login the site via NTLM without input the > <domain>\ prefix, it means you should have a local account with the It seem to do exactly the opposite, I can log in without entering the domain part if using NTML, and I can't log in without entering the domain part when using Basic. [quoted text, click to view] > local security policy). 'Log on locally' is required by Basic but not There is no problem with that setting because I can log in using any autentication scheme as long as I enter the domain part. Problem is that I don't want the users to know (or care) that they are using a domain logon. Regards; /jb
Hi Jonny,
If the ISA server and IIS is setup on the same box, please directly access the internal IP being binded by IIS - http://<internal IP>:<port>/ . This bypasses the ISA proxy, please test if the behavior is still the same. If ISA proxy is on another box, please test on the IIS server via localhost. Also, can you please export your metabase configuration and send it to me? I'd like to check metadata for problems. You can install the MetaEdit tool and export whole the W3SVC node to a txt file: How To Install MetaEdit 2.2 on Windows NT 4.0 or Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301386&sd=tec h My email address: v-wzhang@online.microsoft.com (Please remove online.) Best regards, WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |