401.3 Unauthorized: Logon Failed
From: stephen (stephenhines@yahoo.com)
Date: 05/16/02
- Next message: x y: "Re: ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Previous message: Jeff Briar-Hill: "ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "stephen" <stephenhines@yahoo.com> Date: Wed, 15 May 2002 21:18:23 -0700
I am trying to resolve a 401.3 error message I have been
experiencing for weeks on an subdirectory within a web
site. This is on an Windows 2K/IIS 5.0 platform.
This is on an intranet site with host headers in use.
There is a subdirectory within this site on the web server
that needs to be restricted for access to only several
individuals. So on this directory within IIS I enabled
only Windows Integrated Authentication and set the ACLs on
the web site directory to allow the several individuals on
the domain Read Access to the directory. In spite of this
I constantly receive the 401.3 errors. This directory
contains regular HTML files.
However as a local Administrator to the box if I enter the
URL to that directory in the browser I can access the
directory without a problem. But if I log onto a system as
one of the user accounts that I have granted Read access
to that directory and then try to access the directory it
fails every time with the same 401.3 error message.
I have tried the following to address the issue based on
suggestions in various newsgroups of other people
reporting the same error message:
1) Gave this group of domain users Full Control access to
the directory without success.
2) Granting these accounts an elevated level of access on
this particular web server such as "Access this computer
from the Network", "Act as a part of the operating system"
and "Log on Locally".
3) Creating a local group on the machine and adding these
users to it.
4) Disabling the propagation of ACLs from the parent
directory to this directory and manually setting the ACLs
on the subdirectory but the same error appears.
5) I tried going higher up in the directory structure and
allowing these user accounts Read Access to the directory
6) Duplicating the same ACL settings as the current web
site on another server and the problem does not occur
There has to be a level of access or a privilege I have as
a local Administrator that these users don't have that is
causing the problem. Otherwise why can't their accounts
access the same files.
===========================================================
Here is a blurb from TechNet article Q187506 on
permissions as they relate to troubleshooting 401.3
errors:
To configure the minimum required NTFS permissions for
users who access IIS, grant the following directory
permissions to the anonymous Internet user account (by
default, this is the IUSR_computer_name account) and any
other accounts or groups that need access to the Web
server:
Directory Permissions
------------------------------------------------
Content READ (RX)
Winnt READ (RX)
Winnt\System32 READ (RX)
Winnt\System32\Inetsrv READ (RX)
Program Files\Common Files READ (RX)
(and all subdirectories)
===========================================================
I compared the permissions on these directories on the
initial web server where the problem is occurring and
another web site where I copied the content of the site
over and reset the permissions the same way. I found that
the permissions on the above directories are more
restrictive on the server where I copied the content to
for testing where I didn't get the error compared to the
original web server. In spite of that access still fails
on the original site. Also note that the ACLs on these
WINNT directories on both servers do not include the
specific users requiring access although the TechNet
article appears to state this is a requirement in addition
to Read access on the content itself.
I am also using IE as my browser to access the site.
Mention this because on the web people have mentioned that
Netscape doesn't support Windows Integrated Authentication
(NTLM). Also there is no firewall between my PC and the
server where this is occurring at. I have read about
problems this can cause with NT Authentication as well.
I guess my problem boils down to this - Other than giving
a user file/folder level permissions at the NTFS level to
Read content and only Windows Integrated Authentication
enabled on the folder within IIS, what else is required to
prevent this 401.3 error from occurring? I'm hoping for an
answer other than "Check the permissions on the files"
because I've already done that multiple times. Thanks in
advance.
- Next message: x y: "Re: ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Previous message: Jeff Briar-Hill: "ftp non-anonymous help - logon locally overriden by effective policy setting at domain level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
