| Groups | Blog | Home |
iis security : Anonymous Access on IIS6
I'm having an Anonymous access problem which is driving me round the bend ! Basically, I created a website a few years ago, stuck it on a Windows 2000 server and made it live on the internet. Everything was fine, and a month or so back I upgraded the server to Windows 2003 standard, using the upgrade option to upgrade the server. The website still works just fine. Now, we've decided to create a new website from scratch. That's been done and it works fine internally. I created a new virtual directory using the exactly the same settings/login credentials as before, just pointed it to a different directory. Externally, I get this error : Unauthorized: Access is denied due to invalid credentials. I've no idea why! If I use Basic Authentication, I get a login box from outside the network, and when I enter the same user name, domain and password I was using for Anonymous Access, it works ! Naturally, I don't want a user name and password to appear for random visitors to my website. Just a bit more background: - the webserver is a member of a domain - the user name and password I'm using is on the same domain - NTFS permissions are the same on the one that works and the one that doesn't - the old website still works just fine I've done a fair bit of googling with no luck. anyone any ideas ??
If the new website works from internally and not externally, it probably is
not an IIS issue. 1. Make sure your website only has Anonymous access enabled. No other authentication enabled. Make sure this setting is inherited to all web pages in question (because you can customize authentication on a per page basis in IIS). 2. Please provide the entry in the log file that corresponds to your failing anonymous request from external. If you can, install Network Monitor from the Windows Server 2003 CD (it is in Add/Remove Programs\Windows Components\Network Monitoring Tools) and use it to take a Network trace of the request that claims failure. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "willie thompson" <wullsy@yahoo.com> wrote in message Hello,news:41e7e503$0$114$65c69314@mercury.nildram.net... I'm having an Anonymous access problem which is driving me round the bend ! Basically, I created a website a few years ago, stuck it on a Windows 2000 server and made it live on the internet. Everything was fine, and a month or so back I upgraded the server to Windows 2003 standard, using the upgrade option to upgrade the server. The website still works just fine. Now, we've decided to create a new website from scratch. That's been done and it works fine internally. I created a new virtual directory using the exactly the same settings/login credentials as before, just pointed it to a different directory. Externally, I get this error : Unauthorized: Access is denied due to invalid credentials. I've no idea why! If I use Basic Authentication, I get a login box from outside the network, and when I enter the same user name, domain and password I was using for Anonymous Access, it works ! Naturally, I don't want a user name and password to appear for random visitors to my website. Just a bit more background: - the webserver is a member of a domain - the user name and password I'm using is on the same domain - NTFS permissions are the same on the one that works and the one that doesn't - the old website still works just fine I've done a fair bit of googling with no luck. anyone any ideas ??
Actually, your issue is probably very different than the other user's. Your
machine is a DC, his was not. That is a big difference when it comes to IIS (and many programs, for that matter). First uncheck IE's "Show Friendly HTTP Errors" option and report the actual error response (and status codes). Also, report the web log entry for the failed request -- if it was a connection-level issue, it will be in %windir%\System32\LogFiles\HTTPERR\*.log , while if a request failed to execute, it will be in %windir%\System32\LogFiles\W3SVC#\*.log . Without detailed failure logs, it is hard to troubleshoot the actual issue. In general, running IIS6 on a DC does not work because of various restrictions a DC places on the machine, different user privileges, and we really could not make it work on more than a couple of basic scenarios by default and in general, it requires a lot of tweaking of settings everywhere. It is simply not recommended, on top of the general advice of not running external-facing servers on the DC -- one compromise from external source via any mechanism, and your entire domain is compromised -- and a DC is designed to be accessed by other machines so it is harder to lock down without breaking functionality. It is important to note the order of installation -- did you install IIS before or after the machine ran DCPROMO to become a DC. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Ivan Brebner" <ibrebner@premiumretail.com.au> wrote in message Hi there,news:eSGamJi$EHA.1408@TK2MSFTNGP10.phx.gbl... Well I dont have too much to add other than the fact that I have near the very same issues you are having. I have a 2003 Server that is the DC that runs a public website on IIS 6.0 .... well it supossed to. Anon account is by default IUSR_Servername and I have altered the password. I have reflected this in IISAdmin so that it would work. It seems that the IUSR Account is the issue under a domain and this has trouble impersonating as it seems that the account needs to align with the computer rathen than the Domain. I have been looking down my nose at this one all day and still no go. I have been viewing my site from the outside (it find the public DN and says site found, then times out after about 60 secs or so). Hope this helps at least in describing errors. Any help would be appreciated. Ivan Brebner [quoted text, click to view] "willie thompson" <wullsy@yahoo.com> wrote in message news:41e7e503$0$114$65c69314@mercury.nildram.net... > Hello, > > I'm having an Anonymous access problem which is driving me round the bend > ! > > Basically, I created a website a few years ago, stuck it on a Windows 2000 > server and made it live on the internet. Everything was fine, and a month > or > so back I upgraded the server to Windows 2003 standard, using the upgrade > option to upgrade the server. The website still works just fine. > > Now, we've decided to create a new website from scratch. That's been done > and it works fine internally. I created a new virtual directory using the > exactly the same settings/login credentials as before, just pointed it to > a > different directory. Externally, I get this error : > > Unauthorized: Access is denied due to invalid credentials. > > I've no idea why! If I use Basic Authentication, I get a login box from > outside the network, and when I enter the same user name, domain and > password I was using for Anonymous Access, it works ! Naturally, I don't > want a user name and password to appear for random visitors to my website. > > Just a bit more background: > > - the webserver is a member of a domain > - the user name and password I'm using is on the same domain > - NTFS permissions are the same on the one that works and the one that > doesn't > - the old website still works just fine > > I've done a fair bit of googling with no luck. > > anyone any ideas ?? > > >
Hi there,
Well I dont have too much to add other than the fact that I have near the very same issues you are having. I have a 2003 Server that is the DC that runs a public website on IIS 6.0 .... well it supossed to. Anon account is by default IUSR_Servername and I have altered the password. I have reflected this in IISAdmin so that it would work. It seems that the IUSR Account is the issue under a domain and this has trouble impersonating as it seems that the account needs to align with the computer rathen than the Domain. I have been looking down my nose at this one all day and still no go. I have been viewing my site from the outside (it find the public DN and says site found, then times out after about 60 secs or so). Hope this helps at least in describing errors. Any help would be appreciated. Ivan Brebner [quoted text, click to view] "willie thompson" <wullsy@yahoo.com> wrote in message news:41e7e503$0$114$65c69314@mercury.nildram.net... > Hello, > > I'm having an Anonymous access problem which is driving me round the bend > ! > > Basically, I created a website a few years ago, stuck it on a Windows 2000 > server and made it live on the internet. Everything was fine, and a month > or > so back I upgraded the server to Windows 2003 standard, using the upgrade > option to upgrade the server. The website still works just fine. > > Now, we've decided to create a new website from scratch. That's been done > and it works fine internally. I created a new virtual directory using the > exactly the same settings/login credentials as before, just pointed it to > a > different directory. Externally, I get this error : > > Unauthorized: Access is denied due to invalid credentials. > > I've no idea why! If I use Basic Authentication, I get a login box from > outside the network, and when I enter the same user name, domain and > password I was using for Anonymous Access, it works ! Naturally, I don't > want a user name and password to appear for random visitors to my website. > > Just a bit more background: > > - the webserver is a member of a domain > - the user name and password I'm using is on the same domain > - NTFS permissions are the same on the one that works and the one that > doesn't > - the old website still works just fine > > I've done a fair bit of googling with no luck. > > anyone any ideas ?? > > >
Hi David,
Thank you for the information, I was starting to head down the option of running a service account and looked at soem other options. I guess I was trying to perhaps do to much with what I had. Sharepoint is on the same server and runs ok (But I understand that). I totally understand now why public sites are best left away from the DC. I will place it on a workstation. Thank you for the log options as well. Regards, Ivan Brebner PS IIS was installed after DCPROMO [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:uqAnsIn$EHA.2540@TK2MSFTNGP09.phx.gbl... > Actually, your issue is probably very different than the other user's. > Your > machine is a DC, his was not. That is a big difference when it comes to > IIS > (and many programs, for that matter). > > First uncheck IE's "Show Friendly HTTP Errors" option and report the > actual > error response (and status codes). Also, report the web log entry for the > failed request -- if it was a connection-level issue, it will be in > %windir%\System32\LogFiles\HTTPERR\*.log , while if a request failed to > execute, it will be in %windir%\System32\LogFiles\W3SVC#\*.log . Without > detailed failure logs, it is hard to troubleshoot the actual issue. > > In general, running IIS6 on a DC does not work because of various > restrictions a DC places on the machine, different user privileges, and we > really could not make it work on more than a couple of basic scenarios by > default and in general, it requires a lot of tweaking of settings > everywhere. It is simply not recommended, on top of the general advice of > not running external-facing servers on the DC -- one compromise from > external source via any mechanism, and your entire domain is > compromised -- > and a DC is designed to be accessed by other machines so it is harder to > lock down without breaking functionality. > > It is important to note the order of installation -- did you install IIS > before or after the machine ran DCPROMO to become a DC. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Ivan Brebner" <ibrebner@premiumretail.com.au> wrote in message > news:eSGamJi$EHA.1408@TK2MSFTNGP10.phx.gbl... > Hi there, > > Well I dont have too much to add other than the fact that I have near the > very same issues you are having. > > I have a 2003 Server that is the DC that runs a public website on IIS 6.0 > ... well it supossed to. Anon account is by default IUSR_Servername and I > have altered the password. I have reflected this in IISAdmin so that it > would work. It seems that the IUSR Account is the issue under a domain and > this has trouble impersonating as it seems that the account needs to align > with the computer rathen than the Domain. I have been looking down my nose > at this one all day and still no go. I have been viewing my site from the > outside (it find the public DN and says site found, then times out after > about 60 secs or so). > > Hope this helps at least in describing errors. > > Any help would be appreciated. > > > Ivan Brebner > > "willie thompson" <wullsy@yahoo.com> wrote in message > news:41e7e503$0$114$65c69314@mercury.nildram.net... >> Hello, >> >> I'm having an Anonymous access problem which is driving me round the bend >> ! >> >> Basically, I created a website a few years ago, stuck it on a Windows >> 2000 >> server and made it live on the internet. Everything was fine, and a month >> or >> so back I upgraded the server to Windows 2003 standard, using the upgrade >> option to upgrade the server. The website still works just fine. >> >> Now, we've decided to create a new website from scratch. That's been done >> and it works fine internally. I created a new virtual directory using the >> exactly the same settings/login credentials as before, just pointed it to >> a >> different directory. Externally, I get this error : >> >> Unauthorized: Access is denied due to invalid credentials. >> >> I've no idea why! If I use Basic Authentication, I get a login box from >> outside the network, and when I enter the same user name, domain and >> password I was using for Anonymous Access, it works ! Naturally, I don't >> want a user name and password to appear for random visitors to my >> website. >> >> Just a bit more background: >> >> - the webserver is a member of a domain >> - the user name and password I'm using is on the same domain >> - NTFS permissions are the same on the one that works and the one that >> doesn't >> - the old website still works just fine >> >> I've done a fair bit of googling with no luck. >> >> anyone any ideas ?? >> >> >> > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |