RE: IIS Integrated Windows Authentication problem

From: Lisa Cozzens (lcozzensonline@microsoft.com)
Date: 06/22/02 

From: lcozzensonline@microsoft.com (Lisa Cozzens)
Date: Fri, 21 Jun 2002 23:50:24 GMT

Hi Brian,

In Internet Explorer, go to Tools -> Internet Options -> Advanced tab,
scroll down a little ways and make sure that there is NOT a check mark next
to "Show friendly HTTP error messages." Then try hitting the page again,
using the credentials of one of the users that can't access it. Scroll all
the way down to the bottom of the error page. What is the exact error that
you see?

Make sure that all the accounts have the "Access this computer from the
network" right, and that they *don't* have the "Deny access to this
computer from the network" right. (Administrative Tools -> Local Security
Policy -> Local Policies -> User Rights Assignment.) By default, the
Everyone group has the first right, and no one has the second right, but
just double check to make sure these haven't gotten changed.

Make sure that you can log in properly as those users -- the accounts
aren't locked out, the passwords haven't expired, etc.

Download Filemon and Regmon from www.sysinternals.com. Run these programs
on the web server while you hit the page using a failing user's
credentials. Save the logs and review them. Look for any "access denied's"
or similarly suspicious messages coming from inetinfo.exe or dllhost.exe.

Hope this helps,
Lisa

--------------------
> Content-Class: urn:content-classes:message
> From: "Brian P. Mueller" <bpmueller@hotmail.com>
> Sender: "Brian P. Mueller" <bpmueller@hotmail.com>
> References: <1216601c21954$9a5c4240$35ef2ecf@TKMSFTNGXA11>
> Subject: IIS Integrated Windows Authentication problem
> Date: Fri, 21 Jun 2002 12:37:41 -0700
> Lines: 57
> Message-ID: <115e601c2195b$1b7165d0$3bef2ecf@TKMSFTNGXA10>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Thread-Index: AcIZWxtxtZc3IaDoSWCr165j/ZwRbw==
> Newsgroups: microsoft.public.inetserver.iis.security
> Path: cpmsftngxa08
> Xref: cpmsftngxa08 microsoft.public.inetserver.iis.security:7810
> NNTP-Posting-Host: TKMSFTNGXA10 10.201.226.38
> X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
> Just a couple more details I left out:
>
> - The servers in question have the .Net framework
> installed, but the framework is not being used by the
> test site.
>
> - After extensive searching in the IIS logs, it appears
> that behind the scenes I'm actually getting a 401.5 error:
>
> HTTP 401.5 - Unauthorized: Authorization by ISAPI or CGI
> application failed
>
> The user never gets the 401.5 error page however.
>
> Thanks,
> Brian
>
> >-----Original Message-----
> >Greetings,
> >
> >I've run into a rather strange problem and I hope
> someone
> >else may have seen it.
> >
> >My simplified test setup:
> >
> >- Windows 2000 server, IIS 5.0
> >- A simple web application (under the default site), set
> >to Integrated Windows Authentication only.
> >- The web app consists of just a default.htm page.
> >- The Everyone group has full control of the web
> >directory.
> >
> >Here's the problem. Some domain users cannot access the
> >site and receive a "The page cannot be displayed" error.
> >There seems to be no common security
> settings/permissions
> >among the users that are failing. I turned on auditing
> >and it appears that the authentication is never even
> >attempted - there are no logon successes or failures,
> >nothing (the users that work do show up in the log),
> just
> >an instant error page.
> >
> >This problem happens with every secured web application
> >on every server I've tried, even on an XP workstation
> >(IIS 5.1). I'm running out of things to try. I can't see
> >anything about the user accounts that would prevent them
> >from authenticating to IIS.
> >
> >I've never encountered anything like this before. Any
> >ideas?
> >
> >Thanks,
> >Brian
> >.
> >
>

-----
Have you installed the new cumulative security patch for IIS?
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.

© 2002 Microsoft Corporation. All rights reserved.

Quantcast