Re: Anonymous works 1 Day ??

From: Stéphane LELEU (sleleu@euroview.com)
Date: 09/30/02 

From: Stéphane LELEU <sleleu@euroview.com>
Date: Mon, 30 Sep 2002 03:01:04 -0700

Hi.

first of all, thanks for your answers...

 - This server IS member of a domain.
 - I AM the admin for this domain
 - This domain is Testing / pre-production site
containing :
   - 1 AD controler
   - 1 SQL 2k 8.00.655 2 nodes cluster
   - 1 biztalk 2002 server
   - 1 IIS 5.0 web server (will be NLB clustered for prod.)
(with .Net FrameWork SP2)
   - 1 StandAlone root CA
   - 1 StandAlone AE
All servers running Win2K with SP3 and a few post SP3
hotfixes (like the Q323172 for the PKI ;-) )

 There is no group policy
 But There is a domain wide security policy for service
accounts as described in "setting up a service account"
doc. for BizTalk, SQL, cluster service

 I've already tested to force a propagation using
secedit /refreshpolicy machine_policy
After a few hours, IIS is still working fine. But after a
day or two : -= Access Denied =- with a system log full
of W3SVC : Warning : the user doesn't have the requested
logon type (3) permission (something like that)...

I cleared the "Allow IIS to control password" and it SEEMS
to works better... but.. for how many days ? ....

 I'll post another message if it crashes again.

Thanks !

>-----Original Message-----
>Minor detail with running adsutil. It is a VBScript
(extension .VBS) and it
>needs to be run by CSCRIPT. WScript is the default
script execution engine
>on Windows Server, so you need to run:
>
>If you run CSCRIPT //h:CSCRIPT that will set CSCRIPT as
the default script
>engine. In that case, what Thomas gives will work.
>
>Otherwise, you must run:
>CSCRIPT %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs
<command> <param1>...
>
>--
>//David
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
>"Thomas Deml [MS]" <thomad@online.microsoft.com> wrote in
message
>news:e9J0mXmZCHA.1676@tkmsftngp08...
>Stephane,
>
>is the machine member of a domain and does the domain
apply group policy? It
>seems that a group policy takes away the "logon locally"
right from the IUSR
>account. This right is needed for IIS to logon the
anonymous user though.
>
>Either you ask your domain admin to exclude the IIS
machine from the group
>policy or you change the way IIS logs on the anonymous
user. There is no UI
>to change the logon method. You would have to do it via
script, e.g.
>c:\inetpub\adminscripts\adsutil set w3svc/logonmethod 3
>This changes the logonmethod to "NETWORK_CLEARTEXT" which
is default in IIS
>6.0.
>If it doesn't work you can reset this by entering the
following command:
>c:\inetpub\adminscripts\adsutil delete w3svc/logonmethod
>
>Hope this helps.
>
>Thomas Deml
>Lead Program Manager
>Internet Information Services
>Microsoft Corp.
>
>"Stephane Leleu" <sleleu@euroview.com> wrote in message
>news:a9b301c265f8$5a548ae0$35ef2ecf@TKMSFTNGXA11...
>> Hi there...
>>
>> I have a Windows 2000 adv. server with SP3 running IIS
>> (domain member).
>> Anonymous access is done with the integrated IUSR_...
>> local user.
>> Anonymous access can be done for a few hours then I get
>> a "Access Denied" error.
>> When restarting IIS service, it works for a few another
>> hours.
>> Event log says W3SVC Warning : "the user doesn't have
the
>> required logon permission to log on this computer..."
>>
>> What's wrong ??
>
>
>
>
>.
>

Relevant Pages

  • Unknown Domain user - domain authentication appears limited
    ... IIS or Domain problem, it appears that it is actually a security ... When I tried this on the new server configuration I received the following ... due to the following error: Logon failure: the user has not been granted the ... requested logon type at this computer. ...
    (microsoft.public.windows.server.security)
  • Re: GPO software deployment and one stuborn XP system
    ... I would write a logon script to upload a file to the server your workstation ... See if it can place the file on that server. ... > network clients. ... > Group Policy was applied from: ...
    (microsoft.public.win2000.group_policy)
  • Re: Need to find out the IP of someone trying to hack a server
    ... If you know that it's IIS, then it most likely is OWA or some other Website ... If all the connections in the IIS logs show the IP address of the ISA server, ... I'm getting logon type 8, ... Having trouble finding a list of logon types referenced in event viewer. ...
    (microsoft.public.isa)
  • Redirection of all folders not working
    ... Applications, Desktop, Start Menu, My Documents to folders on the ... new user logons on to the network new folders are created on the Server ... Have setup a logon script that works through the Group Policy. ...
    (microsoft.public.win2000.group_policy)
  • Single Sign On With ISA
    ... My web application sits on IIS located outside the domain. ... on IIS outside the domain) without having to go through the logon process ... That means the user's credential (username) must be send over to the ... Can Microsft ISA server solve the above mentioned scenario? ...
    (microsoft.public.isaserver)