| Groups | Blog | Home |
iis security : Problem with securing of Windows 2000 SP4 IIS with AD Windows 2003
I have a question regarding the securing of Windows 2000 SP4 IIS with AD
Windows 2003. The symptoms are that the security prompts users to log in on opening an intranet page. I reset the security setting on the folder and the prompting stops. However, after a reboot of the server or restart of the services the prompting begins again for some (not all) groups added to the setup. The setup includes Windows 2000 server IIS running on a Windows 2003 Active Directory network. Groups from multiple OU are added to the security of the folder containing the intranet pages. IIS authentication is set to anonymous. Upon a reset of permissions the permissions function OK, but after reboot or restart of IIS services the intranet page prompts for some users to log in. By changing all security settings to everyone or authorised user the page accessible, but that is not an option as it gives to much access. How can I resolve this and still keep security?
Hi
I'm sorry - tried that. This does not help as all that adding these users is give unrestricted access to everyone to the pages. I need to have the site to be accessible only to select groups. Is there any way to do this without the user being prompted to login? [quoted text, click to view] "Ken Schaefer" wrote:
> Hi, > > If allowed access includes "Allow Anonymous Authentication", then which > users/groups you add to the NTFS folder permissions is irrelevant. The > accounts you need to add are either IUSR_machinename (for HTML, ASP pages), > IWAM_machinename (for global.asa etc) and Machine\ASPNET (for ASP.NET pages) > > Cheers > Ken > > "Guardian-M2005" <Guardian-M2005@discussions.microsoft.com> wrote in message > news:77CBD13D-E0EA-4F83-B97D-972797A66278@microsoft.com... > :I have a question regarding the securing of Windows 2000 SP4 IIS with AD > : Windows 2003. The symptoms are that the security prompts users to log in > on > : opening an intranet page. I reset the security setting on the folder and > the > : prompting stops. However, after a reboot of the server or restart of the > : services the prompting begins again for some (not all) groups added to the > : setup. > : > : The setup includes Windows 2000 server IIS running on a Windows 2003 > Active > : Directory network. Groups from multiple OU are added to the security of > the > : folder containing the intranet pages. IIS authentication is set to > anonymous. > : > : Upon a reset of permissions the permissions function OK, but after reboot > or > : restart of IIS services the intranet page prompts for some users to log > in. > : > : By changing all security settings to everyone or authorised user the page > : accessible, but that is not an option as it gives to much access. > : > : How can I resolve this and still keep security? > : > >
If you enable authentication (like Integrated) and disable anonymous, then
things should automatically work. The only time you'll get the login dialog is if the NTFS ACL on the resource actually denies access to the remote user -- meaning it is your response to ensure that those permissions are set up correctly on the file. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Guardian-M2005" <GuardianM2005@discussions.microsoft.com> wrote in message Hinews:E2805ECA-BC9C-49B4-A8D1-DE136BDD1A12@microsoft.com... I'm sorry - tried that. This does not help as all that adding these users is give unrestricted access to everyone to the pages. I need to have the site to be accessible only to select groups. Is there any way to do this without the user being prompted to login? [quoted text, click to view] "Ken Schaefer" wrote: > Hi, > > If allowed access includes "Allow Anonymous Authentication", then which > users/groups you add to the NTFS folder permissions is irrelevant. The > accounts you need to add are either IUSR_machinename (for HTML, ASP pages), > IWAM_machinename (for global.asa etc) and Machine\ASPNET (for ASP.NET pages) > > Cheers > Ken > > "Guardian-M2005" <Guardian-M2005@discussions.microsoft.com> wrote in message > news:77CBD13D-E0EA-4F83-B97D-972797A66278@microsoft.com... > :I have a question regarding the securing of Windows 2000 SP4 IIS with AD > : Windows 2003. The symptoms are that the security prompts users to log in > on > : opening an intranet page. I reset the security setting on the folder and > the > : prompting stops. However, after a reboot of the server or restart of the > : services the prompting begins again for some (not all) groups added to the > : setup. > : > : The setup includes Windows 2000 server IIS running on a Windows 2003 > Active > : Directory network. Groups from multiple OU are added to the security of > the > : folder containing the intranet pages. IIS authentication is set to > anonymous. > : > : Upon a reset of permissions the permissions function OK, but after reboot > or > : restart of IIS services the intranet page prompts for some users to log > in. > : > : By changing all security settings to everyone or authorised user the page > : accessible, but that is not an option as it gives to much access. > : > : How can I resolve this and still keep security? > : > > >
Hi,
If allowed access includes "Allow Anonymous Authentication", then which users/groups you add to the NTFS folder permissions is irrelevant. The accounts you need to add are either IUSR_machinename (for HTML, ASP pages), IWAM_machinename (for global.asa etc) and Machine\ASPNET (for ASP.NET pages) Cheers Ken [quoted text, click to view] "Guardian-M2005" <Guardian-M2005@discussions.microsoft.com> wrote in message :I have a question regarding the securing of Windows 2000 SP4 IIS with ADnews:77CBD13D-E0EA-4F83-B97D-972797A66278@microsoft.com... : Windows 2003. The symptoms are that the security prompts users to log in on : opening an intranet page. I reset the security setting on the folder and the : prompting stops. However, after a reboot of the server or restart of the : services the prompting begins again for some (not all) groups added to the : setup. : : The setup includes Windows 2000 server IIS running on a Windows 2003 Active : Directory network. Groups from multiple OU are added to the security of the : folder containing the intranet pages. IIS authentication is set to anonymous. : : Upon a reset of permissions the permissions function OK, but after reboot or : restart of IIS services the intranet page prompts for some users to log in. : : By changing all security settings to everyone or authorised user the page : accessible, but that is not an option as it gives to much access. : : How can I resolve this and still keep security? :
If you only want to give selected users access then:
a) disable "allow anonymous authentication" b) enable "Integrated Windows Authentication" c) ensure that your website meets all the guidelines here: http://support.microsoft.com/?id=258063 (for example, add the site to the local Intranet security zone etc) Cheers Ken [quoted text, click to view] "Guardian-M2005" <GuardianM2005@discussions.microsoft.com> wrote in message : Hinews:E2805ECA-BC9C-49B4-A8D1-DE136BDD1A12@microsoft.com... : : I'm sorry - tried that. This does not help as all that adding these users is : give unrestricted access to everyone to the pages. I need to have the site : to be accessible only to select groups. : : Is there any way to do this without the user being prompted to login? : [quoted text, click to view] : "Ken Schaefer" wrote: :: > Hi, : > : > If allowed access includes "Allow Anonymous Authentication", then which : > users/groups you add to the NTFS folder permissions is irrelevant. The : > accounts you need to add are either IUSR_machinename (for HTML, ASP pages), : > IWAM_machinename (for global.asa etc) and Machine\ASPNET (for ASP.NET pages) : > : > Cheers : > Ken : > : > "Guardian-M2005" <Guardian-M2005@discussions.microsoft.com> wrote in message : > news:77CBD13D-E0EA-4F83-B97D-972797A66278@microsoft.com... : > :I have a question regarding the securing of Windows 2000 SP4 IIS with AD : > : Windows 2003. The symptoms are that the security prompts users to log in : > on : > : opening an intranet page. I reset the security setting on the folder and : > the : > : prompting stops. However, after a reboot of the server or restart of the : > : services the prompting begins again for some (not all) groups added to the : > : setup. : > : : > : The setup includes Windows 2000 server IIS running on a Windows 2003 : > Active : > : Directory network. Groups from multiple OU are added to the security of : > the : > : folder containing the intranet pages. IIS authentication is set to : > anonymous. : > : : > : Upon a reset of permissions the permissions function OK, but after reboot : > or : > : restart of IIS services the intranet page prompts for some users to log : > in. : > : : > : By changing all security settings to everyone or authorised user the page : > : accessible, but that is not an option as it gives to much access. : > : : > : How can I resolve this and still keep security? : > : : > : > : >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |