| Groups | Blog | Home |
iis security : Stumped by Authentication Problem
I am stuck and could use some help. For some reason, none of our domain users can access our webpages unless they are added to the Administrator group on the Web server and I can't figure out why. This just started happening recently. We have a local group called Users that conains our Domain Users. Here is what I have done: 1. Checked that the users gruops has access to the Web Directory - Users - yes IIS_WFG - yes System - yes Administrators - yes Users - yes 2. Checked the authentication method for the Website - Integrated Windows Authentication 3. Looked at the logs for a persons not in the Adminstrators groups. Here are a few lines: 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401 1 0 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500 0 2148074244 So it looks like it is failing because it can't validate the user and only works if the user is in the admin group. Anyone have any idea why? Thanks in advance for your help! -SJ
On Dec 5, 4:02 am, "Ken Schaefer" <kenREM...@THISadOpenStatic.com>
[quoted text, click to view] wrote: > Hi, > > This isn't an IIS issue - something is happening lower down in the stack > (e.g. inside LSASS or similar). > > The initial request is denied with an Unauthorized (401) HTTP status. The > client then appears to be sending credentials, and the server is returning > 500. The Win32 status indicates an internal security error occurred. > > I would start by looking in the Windows Event Logs to see if any errors are > being logged there. > > Cheers > Ken > > -- > My IIS Blog:www.adOpenStatic.com/cs/blogs/ken > > "SirCodesALot" <sjour...@gmail.com> wrote in message > > news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com... > > > > > Hi All, > > > I am stuck and could use some help. For some reason, none of our > > domain users can access our webpages unless they are added to the > > Administrator group on the Web server and I can't figure out why. This > > just started happening recently. > > > We have a local group called Users that conains our Domain Users. > > > Here is what I have done: > > > 1. Checked that the users gruops has access to the Web Directory - > > Users - yes > > IIS_WFG - yes > > System - yes > > Administrators - yes > > Users - yes > > > 2. Checked the authentication method for the Website > > - Integrated Windows Authentication > > > 3. Looked at the logs for a persons not in the Adminstrators groups. > > Here are a few lines: > > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401 > > 1 0 > > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500 > > 0 2148074244 > > > So it looks like it is failing because it can't validate the user and > > only works if the user is in the admin group. Anyone have any idea > > why? > > > Thanks in advance for your help! > > -SJ- Hide quoted text - > > - Show quoted text - Ken, thanks for your response! I will try looking into that way. Thanks again,
Hi,
This isn't an IIS issue - something is happening lower down in the stack (e.g. inside LSASS or similar). The initial request is denied with an Unauthorized (401) HTTP status. The client then appears to be sending credentials, and the server is returning 500. The Win32 status indicates an internal security error occurred. I would start by looking in the Windows Event Logs to see if any errors are being logged there. Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken [quoted text, click to view] "SirCodesALot" <sjourdan@gmail.com> wrote in message
news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com... > Hi All, > > I am stuck and could use some help. For some reason, none of our > domain users can access our webpages unless they are added to the > Administrator group on the Web server and I can't figure out why. This > just started happening recently. > > We have a local group called Users that conains our Domain Users. > > Here is what I have done: > > 1. Checked that the users gruops has access to the Web Directory - > Users - yes > IIS_WFG - yes > System - yes > Administrators - yes > Users - yes > > 2. Checked the authentication method for the Website > - Integrated Windows Authentication > > 3. Looked at the logs for a persons not in the Adminstrators groups. > Here are a few lines: > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401 > 1 0 > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500 > 0 2148074244 > > So it looks like it is failing because it can't validate the user and > only works if the user is in the admin group. Anyone have any idea > why? > > Thanks in advance for your help! > -SJ >
[quoted text, click to view]
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:OHKs%23YyNIHA.5980@TK2MSFTNGP04.phx.gbl... > Hi, > > This isn't an IIS issue - something is happening lower down in the stack > (e.g. inside LSASS or similar). > > The initial request is denied with an Unauthorized (401) HTTP status. The > client then appears to be sending credentials, and the server is returning > 500. The Win32 status indicates an internal security error occurred. > > I would start by looking in the Windows Event Logs to see if any errors > are being logged there. > Indeed Ken, and might not the app trace be useful too, as it seems by 500 that it is not handling the (unanticipated?) access denial. Roger [quoted text, click to view] > "SirCodesALot" <sjourdan@gmail.com> wrote in message > news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com... >> Hi All, >> >> I am stuck and could use some help. For some reason, none of our >> domain users can access our webpages unless they are added to the >> Administrator group on the Web server and I can't figure out why. This >> just started happening recently. >> >> We have a local group called Users that conains our Domain Users. >> >> Here is what I have done: >> >> 1. Checked that the users gruops has access to the Web Directory - >> Users - yes >> IIS_WFG - yes >> System - yes >> Administrators - yes >> Users - yes >> >> 2. Checked the authentication method for the Website >> - Integrated Windows Authentication >> >> 3. Looked at the logs for a persons not in the Adminstrators groups. >> Here are a few lines: >> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401 >> 1 0 >> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500 >> 0 2148074244 >> >> So it looks like it is failing because it can't validate the user and >> only works if the user is in the admin group. Anyone have any idea >> why? >> >> Thanks in advance for your help! >> -SJ >> >
So this means you have looked in the event logs, and there seen
these domain users members successful at login, yet they are denied access to the resource. Right? . . . or at least no failed login events for them then if you don't log success? If not so, was there a change in login rights, or in group nestings recently? Roger [quoted text, click to view] "SirCodesALot" <sjourdan@gmail.com> wrote in message news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com... > Hi All, > > I am stuck and could use some help. For some reason, none of our > domain users can access our webpages unless they are added to the > Administrator group on the Web server and I can't figure out why. This > just started happening recently. > > We have a local group called Users that conains our Domain Users. > > Here is what I have done: > > 1. Checked that the users gruops has access to the Web Directory - > Users - yes > IIS_WFG - yes > System - yes > Administrators - yes > Users - yes > > 2. Checked the authentication method for the Website > - Integrated Windows Authentication > > 3. Looked at the logs for a persons not in the Adminstrators groups. > Here are a few lines: > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401 > 1 0 > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500 > 0 2148074244 > > So it looks like it is failing because it can't validate the user and > only works if the user is in the admin group. Anyone have any idea > why? > > Thanks in advance for your help! > -SJ >
[quoted text, click to view] "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:uVTVd2JOIHA.4136@TK2MSFTNGP03.phx.gbl... > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message > news:OHKs%23YyNIHA.5980@TK2MSFTNGP04.phx.gbl... >> Hi, >> >> This isn't an IIS issue - something is happening lower down in the stack >> (e.g. inside LSASS or similar). >> >> The initial request is denied with an Unauthorized (401) HTTP status. The >> client then appears to be sending credentials, and the server is >> returning 500. The Win32 status indicates an internal security error >> occurred. >> >> I would start by looking in the Windows Event Logs to see if any errors >> are being logged there. >> > > Indeed Ken, and might not the app trace be useful too, as it seems > by 500 that it is not handling the (unanticipated?) access denial. It could be, but Win32 error 2148074244 is SEC_E_INTERNAL_ERROR, which indicates to me tha there is an error below IIS. IIS is then seeing this not as an access denied, but some other error it is not equiped to handle, and so IIS generates the 500 Internal Server Error, not the application. The application probably isn't seeing the request at all Cheers Ken [quoted text, click to view] > Roger
> >> "SirCodesALot" <sjourdan@gmail.com> wrote in message >> news:d3c3d690-948e-45f4-9af6-e8e6d8d32e20@l16g2000hsf.googlegroups.com... >>> Hi All, >>> >>> I am stuck and could use some help. For some reason, none of our >>> domain users can access our webpages unless they are added to the >>> Administrator group on the Web server and I can't figure out why. This >>> just started happening recently. >>> >>> We have a local group called Users that conains our Domain Users. >>> >>> Here is what I have done: >>> >>> 1. Checked that the users gruops has access to the Web Directory - >>> Users - yes >>> IIS_WFG - yes >>> System - yes >>> Administrators - yes >>> Users - yes >>> >>> 2. Checked the authentication method for the Website >>> - Integrated Windows Authentication >>> >>> 3. Looked at the logs for a persons not in the Adminstrators groups. >>> Here are a few lines: >>> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401 >>> 1 0 >>> 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500 >>> 0 2148074244 >>> >>> So it looks like it is failing because it can't validate the user and >>> only works if the user is in the admin group. Anyone have any idea >>> why? >>> >>> Thanks in advance for your help! >>> -SJ >>> >> > >
Check whether you have the correct user group settings under logon locally
right on server security policy. [quoted text, click to view] "SirCodesALot" wrote:
> Hi All, > > I am stuck and could use some help. For some reason, none of our > domain users can access our webpages unless they are added to the > Administrator group on the Web server and I can't figure out why. This > just started happening recently. > > We have a local group called Users that conains our Domain Users. > > Here is what I have done: > > 1. Checked that the users gruops has access to the Web Directory - > Users - yes > IIS_WFG - yes > System - yes > Administrators - yes > Users - yes > > 2. Checked the authentication method for the Website > - Integrated Windows Authentication > > 3. Looked at the logs for a persons not in the Adminstrators groups. > Here are a few lines: > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 401 > 1 0 > 2007-12-04 21:28:28 W3SVC1786339847 GET /ts/index.html - 80 - 500 > 0 2148074244 > > So it looks like it is failing because it can't validate the user and > only works if the user is in the admin group. Anyone have any idea > why? > > Thanks in advance for your help! > -SJ >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |