| Groups | Blog | Home |
iis security : IIS requiring authentication
Using IIS on a standalone Win2003 server. Users hit the server IP from any
workstation on the LAN and get the default web page. Setup has been in place for about a year with no problems. Last week, we start getting errors when users try to hit the site. Users get "Authentication Required" popup when they use their bookmark to get to the site. First time this happened, entering the admin user credentials would allow the user to proceed to the default web site. That is no longer the case; no credentials are validated. Have verified user/pw for the admin user on the server, so that is not the issue. Point is, we should *never* need to authenticate to get to this page. I went into IIS Manager and checked the Directory Security settings. "Enable anonymous access" is selected. Down below, in the "Authenticated Access" area, it had shown "Integrated Windows authentication" for when anonymous access was disabled, or when NTFS permissions caused restrictions. I have not been at the keyboard of this server for over a month, prior to this issue arising last week. It is not auto-updating--i.e. zero changes have been made that could account for this. I have tried disabling the Windows Authentication, then restarting. I have tried using admin user to get past authentication; only worked the first few times (?). I've tried changing the password for the IUSR_computername user both in the Local Users and Groups and in IIS Manager. Nothing is working. Some random changes do happen. I had taken off the Integrated Windows authentication, restarted the server, took a screenshot of IIS Mgr with that setting *off*. Users had access to the default web page. 30 min. later, same problem. Checked IIS Mgr, and integ win auth was back on...? Nobody has physical or remote access to this sever except me, and except for users' access to the default web page. When at the server console, typing the server IP in the web browser yields "authentication required." Typing "localhost" takes me to the default web page. Now, that's just weird.
On Nov 26, 8:51 am, awshaffer <awshaf...@discussions.microsoft.com>
[quoted text, click to view] wrote: > Using IIS on a standalone Win2003 server. Users hit the server IP from any > workstation on the LAN and get the default web page. Setup has been in place > for about a year with no problems. Last week, we start getting errors when > users try to hit the site. Users get "Authentication Required" popup when > they use their bookmark to get to the site. > > First time this happened, entering the admin user credentials would allow > the user to proceed to the default web site. That is no longer the case; no > credentials are validated. Have verified user/pw for the admin user on the > server, so that is not the issue. > > Point is, we should *never* need to authenticate to get to this page. I went > into IIS Manager and checked the Directory Security settings. "Enable > anonymous access" is selected. Down below, in the "Authenticated Access" > area, it had shown "Integrated Windows authentication" for when anonymous > access was disabled, or when NTFS permissions caused restrictions. > > I have not been at the keyboard of this server for over a month, prior to > this issue arising last week. It is not auto-updating--i.e. zero changes have > been made that could account for this. I have tried disabling the Windows > Authentication, then restarting. I have tried using admin user to get past > authentication; only worked the first few times (?). I've tried changing the > password for the IUSR_computername user both in the Local Users and Groups > and in IIS Manager. Nothing is working. > > Some random changes do happen. I had taken off the Integrated Windows > authentication, restarted the server, took a screenshot of IIS Mgr with that > setting *off*. Users had access to the default web page. 30 min. later, same > problem. Checked IIS Mgr, and integ win auth was back on...? Nobody has > physical or remote access to this sever except me, and except for users' > access to the default web page. > > When at the server console, typing the server IP in the web browser yields > "authentication required." Typing "localhost" takes me to the default web > page. Now, that's just weird. > > Any help would be oh-so-appreciated! Anonymous access and Authenticated Access does *NOT* mean that you *never* need to authenticate to get to a page. You MUST understand this point. A user ALWAYS need to authenticate to get to ANY content on Windows because content on NTFS is ACL'd. The question is *who* does the automatic authentication, client or server, such that you have the illusion of never needing to authenticate. http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_Denied_to_Administrators_or_Anonymous_User.aspx My suspicion is that this is not an IIS issue. You said that you had not changed server configuration. I add that IIS doesn't change configuration on its own -- it does not have a user token with permissions to change its own configuration. Your type of issue usually indicate some combination of : 1. Domain Controllers pushing down security policies, user/ACL lockdown, configuration scripts, etc that prevent proper functioning of IIS (*very* frequently the culprit) 2. Something else on the server is crashing inetinfo.exe and reverting your IIS configuration changes (for example, if you run in IIS5 Compatibility Mode, or if you run other applications in inetinfo.exe) 3. Security attacks (intentional or unintentional) on the IIS anonymous account that cause account lockout (for example, the Guest group may get locked down by group policy, or you change the anonymous user's password to be out of sync with the cached value in metabase, etc) 4. Something else is authenticating on IIS and overriding IIS's configured behavior (for example, someone installed/activated custom authentication ISAPI Filter) Your observation with "localhost" and IP going to different places indicate either a networking problem or user misconfiguration/ misunderstanding of IIS. For example, you could have a website with host header of "localhost" that can funnel your localhost requests to one website (with one set of behaviors) and those with IP to another website (with different behaviors). Or DNS could be messed up on your internal network such that localhost is resolving to another computer and not this IIS server, etc. In order for your result to be weird, you have to show that the request to "localhost" and by IP was serviced by the SAME IIS Website and server, and even then, there are other possible explanations. I recommend you read the following blog entries to get an understanding of how to troubleshoot and use the IIS-related logs, and what each 401 means in an IIS log file: http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Basics_of_IIS6_Troubleshooting.aspx My experience with your type of "funny" behavior with IIS is that it is rarely an IIS bug/issue. It is almost always something external, related to security or lockdown from a domain policy, whose unintended effects on IIS gets recognized as the "funny" behavior because people use web applications on IIS. Thus, I recommend against fiddling with any IIS settings and always start from "what does IIS log files complain about being the problem" and go from there. My suspicion is that you've always had a network misconfiguration that is just now exposed, and you had an external security policy applied to lock down this IIS server from functioning. I highly recommend just looking around for clues and not changing any IIS server configuration. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang
Thanks for a *very* complete and quick reply. You've given me a lot to check
into. Some responses to points you raise: [quoted text, click to view] "David Wang" wrote: [quoted text, click to view] > > > Anonymous access and Authenticated Access does *NOT* mean that you > *never* need to authenticate to get to a page. You MUST understand > this point. Right, just meant that from a user standpoint, they never had to enter credentials, and now they are being required to do so. I'm assuming, in fact, that this is some sort of authentication issue, which is why I changed the IUSR pw. [quoted text, click to view] > > http://blogs.msdn.com/david.wang/archive/2005/05/27/Access_Denied_to_Administrators_or_Anonymous_User.aspx Thanks for the reference! [quoted text, click to view] > > > My suspicion is that this is not an IIS issue. You said that you had > not changed server configuration. I add that IIS doesn't change > configuration on its own -- it does not have a user token with > permissions to change its own configuration. Your type of issue > usually indicate some combination of : > 1. Domain Controllers pushing down security policies, user/ACL > lockdown, configuration scripts, etc that prevent proper functioning > of IIS (*very* frequently the culprit) No DC here, so should not be that, no? [quoted text, click to view] > 2. Something else on the server is crashing inetinfo.exe and reverting > your IIS configuration changes (for example, if you run in IIS5 > Compatibility Mode, or if you run other applications in inetinfo.exe) Very likely. Will work to check those out. [quoted text, click to view] > 3. Security attacks (intentional or unintentional) on the IIS > anonymous account that cause account lockout (for example, the Guest > group may get locked down by group policy, or you change the anonymous > user's password to be out of sync with the cached value in metabase, > etc) Very possibly. When you refer to cached value in the metabase, that gets renewed if I go into IIS Mgr and change the pw for the anon user, does it not? [quoted text, click to view] > 4. Something else is authenticating on IIS and overriding IIS's > configured behavior (for example, someone installed/activated custom > authentication ISAPI Filter) Should be very unlikely, but I'll track it down. Thanks. [quoted text, click to view] > > Your observation with "localhost" and IP going to different places > indicate either a networking problem or user misconfiguration/ > misunderstanding of IIS. Yep, although, again, this should not be new. Something had to *cause* it. I've gone directly to the IP w/out errors, so something has changed. For example, you could have a website with [quoted text, click to view] > host header of "localhost" that can funnel your localhost requests to > one website (with one set of behaviors) and those with IP to another > website (with different behaviors). Or DNS could be messed up on your > internal network such that localhost is resolving to another computer > and not this IIS server, etc. In order for your result to be weird, > you have to show that the request to "localhost" and by IP was > serviced by the SAME IIS Website and server, and even then, there are > other possible explanations. No other IIS Websites present, no other Win2k3 servers present, no entries in DNS that account for this, but I agree with your premise. [quoted text, click to view] > > > I recommend you read the following blog entries to get an > understanding of how to troubleshoot and use the IIS-related logs, and > what each 401 means in an IIS log file: > Thanks very much. I'll head over to those, as well! http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx [quoted text, click to view] > http://blogs.msdn.com/david.wang/archive/2005/12/31/HOWTO_Basics_of_IIS6_Troubleshooting.aspx > > My experience with your type of "funny" behavior with IIS is that it > is rarely an IIS bug/issue. It is almost always something external, > related to security or lockdown from a domain policy, whose unintended > effects on IIS gets recognized as the "funny" behavior because people > use web applications on IIS. Thus, I recommend against fiddling with > any IIS settings and always start from "what does IIS log files > complain about being the problem" and go from there. > > My suspicion is that you've always had a network misconfiguration that > is just now exposed, and you had an external security policy applied > to lock down this IIS server from functioning. I highly recommend just > looking around for clues and not changing any IIS server > configuration. > Thanks for a great combination of detail and summary info! tony [quoted text, click to view]
Something I should have clarified in the first post (sorry): error is 401.1,
so it's specifically due to invalid credentials. I've gone back and looked at the ACL, and the admin user has the proper permissions. Also created a new user to run as anonymous, disabled the IUSR account and gave the new user explicit allows on the ACL for the wwwroot directory. Went into IIS mgr and identified the new anon user as the anon user. No change, still not working. One thing that made sense was a security lockout, as you mention, David, but
On Nov 27, 10:01 am, awshaffer <awshaf...@discussions.microsoft.com>
[quoted text, click to view] wrote: > Something I should have clarified in the first post (sorry): error is 401.1, > so it's specifically due to invalid credentials. I've gone back and looked at > the ACL, and the admin user has the proper permissions. Also created a new > user to run as anonymous, disabled the IUSR account and gave the new user > explicit allows on the ACL for the wwwroot directory. Went into IIS mgr and > identified the new anon user as the anon user. No change, still not working. > > One thing that made sense was a security lockout, as you mention, David, but > that should not be possible with a newly-created user..., no? 401.1 error tells me to look at user privileges, Application Pool identity, and credentials/passwords. ACLs, IIS Authentication configuration, ISAPI, etc are usually not involved. I would start looking at securiy lockout by group membership, missing logon privileges by group membership, or even change of how IIS performs user login for authentication (which is configurable but should not have changed). //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang
[quoted text, click to view] > > 401.1 error tells me to look at user privileges, Application Pool > identity, and credentials/passwords. ACLs, IIS Authentication > configuration, ISAPI, etc are usually not involved. > Exactly. That's my frustration--it cannot be nothing, but it can only be a limited number of somethings, and it's not any of the somethings. Frankly, I'm feeling now like I've either got a corrupt file somewhere that I just cannot track down using any avail monitors, or a ditto for a security issue. Came in today and tried to logon to the server console and got "not enough storage is available to process this command". All the references I find to this have to do with apps running on a functioning o/s, or to Dell Poweredges, which this is not. Rather than leave my whole site w/out access to the things they need, I'm going to stop my pitiful troubleshooting attempts, blow the thing away and recreate it. Thanks for all your help and for teaching me a lot that I did not know. [quoted text, click to view] > I would start looking at securiy lockout by group membership, missing > logon privileges by group membership, or even change of how IIS > performs user login for authentication (which is configurable but > should not have changed). Can't get in, so I can't check any of that, but to the extent that I had looked at those issues before, none was the cause. Yesterday I had the developer who wrote the app I was using with IIS remote in and drive that server for a couple hours, and he could not explain the error. Thanks again, tony [quoted text, click to view]
At the end, it sounds like something was leaking memory on your system
(probably non-paged pool) such that it prevented login. You'd be able to determine that from a Kernel Debugger attached to this machine. And figure out what's leaking that memory because it'll eventually cause IIS to return "Connections_Refused" (which I also have a blog entry about). Now, this sort of thing does not happen suddenly on its own. You must have had some hardware of software change at a system level which is causing this issue. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Nov 28, 8:03 am, awshaffer <awshaf...@discussions.microsoft.com> [quoted text, click to view] wrote:
> > 401.1 error tells me to look at user privileges, Application Pool > > identity, and credentials/passwords. ACLs, IIS Authentication > > configuration, ISAPI, etc are usually not involved. > > Exactly. That's my frustration--it cannot be nothing, but it can only be a > limited number of somethings, and it's not any of the somethings. Frankly, > I'm feeling now like I've either got a corrupt file somewhere that I just > cannot track down using any avail monitors, or a ditto for a security issue. > Came in today and tried to logon to the server console and got "not enough > storage is available to process this command". All the references I find to > this have to do with apps running on a functioning o/s, or to Dell > Poweredges, which this is not. > > Rather than leave my whole site w/out access to the things they need, I'm > going to stop my pitiful troubleshooting attempts, blow the thing away and > recreate it. Thanks for all your help and for teaching me a lot that I did > not know. > > > I would start looking at securiy lockout by group membership, missing > > logon privileges by group membership, or even change of how IIS > > performs user login for authentication (which is configurable but > > should not have changed). > > Can't get in, so I can't check any of that, but to the extent that I had > looked at those issues before, none was the cause. Yesterday I had the > developer who wrote the app I was using with IIS remote in and drive that > server for a couple hours, and he could not explain the error. > > Thanks again, > tony > > > > > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > //- Hide quoted text - > > - Show quoted text -
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |