| Groups | Blog | Home |
iis security : IIS Subauthentication Required
working we plan to load-balance them. Due to limitations in our in-house application, the Web services are running in IIS 5.0 isolation mode. The Web site on all four servers is configured to use the local IUSR account for Anonymous access. As far as I can tell, the configuration on all 4 is identical, and the home page works on all four. However, within one of the subfolders, configured as an application, there is a login.html that only works on 3 of the servers, not on the 4th. This login page accesses a COM+ application on another server (the app was exported to a proxy .msi file, which was then instaled on the Web server), the anoymous access account for this folder is set to a domain account. As I said, it works on 3 of the 4 Web servers. On the problem server, I receive an HTTP Error 401.1 (Unauthorized: Access is denied due to invalid credentials). The Security Log shows that the failure was due to an unknown username or a bad password. Also, the results of running the IIS Diags on this serverdisplays the following errors: - AnymousPasswordSync: IIS subauthentication requires that the AnonymousUserName metabase property be configured with an account from the local computer. - AnonymousUserPass: logon failed - AnonymousPasswordSync: The current configuration requires IIS subauthentication. However, the IIS subauthentication component, iissuba.dll, is not currently configured. - AnonymousPasswordSync: The current configuration uses IIS subauthentication for anonymous authentication. This requires that the worker process be configured to run as the Local System identity, which is not recommended for security reasons. - Server's response: HTTP/1.1 401 Unauthorized As far as I can tell, subauthentication is not set on the other servers. Why is sub-authentication required on this server and not on the other 3? How can I fix this?
In order for IIS to use the IUSR_<machinename> account, it needs to be able
to "logon" that user account, and to do that it needs the current password for that IUSR account. Now, in a normal IIS installation, IIS install creates the IUSR account (in the Windows SAM), sets the password, and then stores a copy of the password (encrypted) in the IIS metabase. However, if the Windows password for the IUSR account changes, then IIS won't know what the new password is and won't be able to logon the IUSR account. Solutions to this problem: a) if the IUSR password has changed (and you know what the new password is), then reset the IUSR password in IIS Manager, so that IIS knows what the password is again. b) enable SubAuthentication (which allows IIS to transparently get the password). However SubAuthentication is a security risk you need to consider, as it means running IIS using an account with elevated credentials. Cheers Ken -- My IIS Blog: www.adOpenStatic.com/cs/blogs/ken [quoted text, click to view] "David V" <DavidV@discussions.microsoft.com> wrote in message
news:0027FC1F-B246-4877-A84B-30F243BC0F8F@microsoft.com... >I have 4 Web servers that should all be set up the same; once they are all > working we plan to load-balance them. Due to limitations in our in-house > application, the Web services are running in IIS 5.0 isolation mode. The > Web > site on all four servers is configured to use the local IUSR account for > Anonymous access. As far as I can tell, the configuration on all 4 is > identical, and the home page works on all four. > However, within one of the subfolders, configured as an application, there > is a login.html that only works on 3 of the servers, not on the 4th. This > login page accesses a COM+ application on another server (the app was > exported to a proxy .msi file, which was then instaled on the Web server), > the anoymous access account for this folder is set to a domain account. > As I > said, it works on 3 of the 4 Web servers. > > On the problem server, I receive an HTTP Error 401.1 (Unauthorized: Access > is denied due to invalid credentials). The Security Log shows that the > failure was due to an unknown username or a bad password. Also, the > results > of running the IIS Diags on this serverdisplays the following errors: > - AnymousPasswordSync: IIS subauthentication requires that the > AnonymousUserName metabase property be configured with an account from the > local computer. > - AnonymousUserPass: logon failed > - AnonymousPasswordSync: The current configuration requires IIS > subauthentication. However, the IIS subauthentication component, > iissuba.dll, > is not currently configured. > - AnonymousPasswordSync: The current configuration uses IIS > subauthentication for anonymous authentication. This requires that the > worker > process be configured to run as the Local System identity, which is not > recommended for security reasons. > - Server's response: HTTP/1.1 401 Unauthorized > > As far as I can tell, subauthentication is not set on the other servers. > Why is sub-authentication required on this server and not on the other 3? > How can I fix this? > > Any help is greatly appreciated.
I have tried both proposed solutions and neither solved the problem. Note
that the Web site's home page works, and it is set up for anonymous authentication using the local IUSR account. It is the subfolder application that does not work. This folder is set up to use a domain acocunt for anonymous authentication. I have confirmed the password for this domain account, by resetting it, but I am still getting the "You are not authorized to view this page" message and an Event ID 529 failure in the Security log. [quoted text, click to view] "Ken Schaefer" wrote:
> In order for IIS to use the IUSR_<machinename> account, it needs to be able > to "logon" that user account, and to do that it needs the current password > for that IUSR account. > > Now, in a normal IIS installation, IIS install creates the IUSR account (in > the Windows SAM), sets the password, and then stores a copy of the password > (encrypted) in the IIS metabase. > > However, if the Windows password for the IUSR account changes, then IIS > won't know what the new password is and won't be able to logon the IUSR > account. > > Solutions to this problem: > a) if the IUSR password has changed (and you know what the new password is), > then reset the IUSR password in IIS Manager, so that IIS knows what the > password is again. > > b) enable SubAuthentication (which allows IIS to transparently get the > password). However SubAuthentication is a security risk you need to > consider, as it means running IIS using an account with elevated > credentials. > > Cheers > Ken > > -- > My IIS Blog: www.adOpenStatic.com/cs/blogs/ken > > "David V" <DavidV@discussions.microsoft.com> wrote in message > news:0027FC1F-B246-4877-A84B-30F243BC0F8F@microsoft.com... > >I have 4 Web servers that should all be set up the same; once they are all > > working we plan to load-balance them. Due to limitations in our in-house > > application, the Web services are running in IIS 5.0 isolation mode. The > > Web > > site on all four servers is configured to use the local IUSR account for > > Anonymous access. As far as I can tell, the configuration on all 4 is > > identical, and the home page works on all four. > > However, within one of the subfolders, configured as an application, there > > is a login.html that only works on 3 of the servers, not on the 4th. This > > login page accesses a COM+ application on another server (the app was > > exported to a proxy .msi file, which was then instaled on the Web server), > > the anoymous access account for this folder is set to a domain account. > > As I > > said, it works on 3 of the 4 Web servers. > > > > On the problem server, I receive an HTTP Error 401.1 (Unauthorized: Access > > is denied due to invalid credentials). The Security Log shows that the > > failure was due to an unknown username or a bad password. Also, the > > results > > of running the IIS Diags on this serverdisplays the following errors: > > - AnymousPasswordSync: IIS subauthentication requires that the > > AnonymousUserName metabase property be configured with an account from the > > local computer. > > - AnonymousUserPass: logon failed > > - AnonymousPasswordSync: The current configuration requires IIS > > subauthentication. However, the IIS subauthentication component, > > iissuba.dll, > > is not currently configured. > > - AnonymousPasswordSync: The current configuration uses IIS > > subauthentication for anonymous authentication. This requires that the > > worker > > process be configured to run as the Local System identity, which is not > > recommended for security reasons. > > - Server's response: HTTP/1.1 401 Unauthorized > > > > As far as I can tell, subauthentication is not set on the other servers. > > Why is sub-authentication required on this server and not on the other 3? > > How can I fix this? > > > > Any help is greatly appreciated. >
Hi,
[quoted text, click to view] >Event ID 529 failure in the Security log Verify that the user account you created has the necessary logon permissions (from memory this is "network logon"), and also verify that the user has the necessary NTFS permissions to the files/folders in question (Read/Execute) Cheers Ken [quoted text, click to view] "David V" <DavidV@discussions.microsoft.com> wrote in message
news:95BF5296-BB6B-4E2E-9A8A-01A8162BD3C8@microsoft.com... >I have tried both proposed solutions and neither solved the problem. Note > that the Web site's home page works, and it is set up for anonymous > authentication using the local IUSR account. It is the subfolder > application > that does not work. This folder is set up to use a domain acocunt for > anonymous authentication. I have confirmed the password for this domain > account, by resetting it, but I am still getting the "You are not > authorized > to view this page" message and an Event ID 529 failure in the Security > log. > > "Ken Schaefer" wrote: > >> In order for IIS to use the IUSR_<machinename> account, it needs to be >> able >> to "logon" that user account, and to do that it needs the current >> password >> for that IUSR account. >> >> Now, in a normal IIS installation, IIS install creates the IUSR account >> (in >> the Windows SAM), sets the password, and then stores a copy of the >> password >> (encrypted) in the IIS metabase. >> >> However, if the Windows password for the IUSR account changes, then IIS >> won't know what the new password is and won't be able to logon the IUSR >> account. >> >> Solutions to this problem: >> a) if the IUSR password has changed (and you know what the new password >> is), >> then reset the IUSR password in IIS Manager, so that IIS knows what the >> password is again. >> >> b) enable SubAuthentication (which allows IIS to transparently get the >> password). However SubAuthentication is a security risk you need to >> consider, as it means running IIS using an account with elevated >> credentials. >> >> Cheers >> Ken >> >> -- >> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken >> >> "David V" <DavidV@discussions.microsoft.com> wrote in message >> news:0027FC1F-B246-4877-A84B-30F243BC0F8F@microsoft.com... >> >I have 4 Web servers that should all be set up the same; once they are >> >all >> > working we plan to load-balance them. Due to limitations in our >> > in-house >> > application, the Web services are running in IIS 5.0 isolation mode. >> > The >> > Web >> > site on all four servers is configured to use the local IUSR account >> > for >> > Anonymous access. As far as I can tell, the configuration on all 4 is >> > identical, and the home page works on all four. >> > However, within one of the subfolders, configured as an application, >> > there >> > is a login.html that only works on 3 of the servers, not on the 4th. >> > This >> > login page accesses a COM+ application on another server (the app was >> > exported to a proxy .msi file, which was then instaled on the Web >> > server), >> > the anoymous access account for this folder is set to a domain account. >> > As I >> > said, it works on 3 of the 4 Web servers. >> > >> > On the problem server, I receive an HTTP Error 401.1 (Unauthorized: >> > Access >> > is denied due to invalid credentials). The Security Log shows that the >> > failure was due to an unknown username or a bad password. Also, the >> > results >> > of running the IIS Diags on this serverdisplays the following errors: >> > - AnymousPasswordSync: IIS subauthentication requires that the >> > AnonymousUserName metabase property be configured with an account from >> > the >> > local computer. >> > - AnonymousUserPass: logon failed >> > - AnonymousPasswordSync: The current configuration requires IIS >> > subauthentication. However, the IIS subauthentication component, >> > iissuba.dll, >> > is not currently configured. >> > - AnonymousPasswordSync: The current configuration uses IIS >> > subauthentication for anonymous authentication. This requires that the >> > worker >> > process be configured to run as the Local System identity, which is not >> > recommended for security reasons. >> > - Server's response: HTTP/1.1 401 Unauthorized >> > >> > As far as I can tell, subauthentication is not set on the other >> > servers. >> > Why is sub-authentication required on this server and not on the other >> > 3? >> > How can I fix this? >> > >> > Any help is greatly appreciated. >> >>
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |