Re: IWAM Out of sync

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 10/30/02


From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Wed, 30 Oct 2002 10:18:31 -0500


I assume you're logged in as administrator when you run these commands. I
also assume you're synching the password in the Metabase with the password
on the IWAM account in the Windows user database.

I would probably enable file and registry access failure auditing for all
the folders and drives on your system, to see what is going on in the
Windows security event log. I would also try the ADSUTIL.VBS command as
described below to get the IWAM password and try setting it. If you get an
error and you are logged in as an administrator, you could try uninstalling
and reinstalling IIS, and/or you could search for the error message you
received at www.microsoft.com/support or
www.google.com/advanced_group_search or www.google.com

I'd also be curious to know whether the problem also happens when you change
the application isolation setting to Low.

[There may also be other information or things to try in the links below]

============

I'm having a problem with the IUSR_computername or IWAM_computername account
on my computer or IIS web server, or the account keeps getting locked out.

A: IIS may be using the IWAM_computername account instead of the
IUSR_computername account when executing web page scripts. If so, there may
be a problem with insufficient permissions or incorrect password on the IWAM
account, especially if you assigned permissions to the IUSR account instead
of the IWAM account.

Use the IIS MMC to look at the "Application Isolation" properties of the
folder containing the troubled script files. IIS runs application scripts
using the IWAM account if the "Application Isolation" setting for the script
or the folder containing the script is set to "Medium" or "High."

[If your web page scripts start working after changing this setting to
"Low," then you have probably confirmed that you have a problem with the
IWAM account as described below. If changing this setting does not fix the
problem, then the rest of this article may not apply to you and you should
consider doing general .ASP troubleshooting using the link below instead:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309051 ]

Like the IUSR account, a copy of the IWAM account password is stored in the
IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log on
as IWAM and/or IUSR if the password in the IIS metabase does not match the
actual password for that user ID in the Windows security database.

The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or
IUSR ID and/or password stored in the IIS metabase. For example, you may
need to use the command "ADSUTIL GET" to get the IWAM password from the
metabase, then use the Windows 2000 / XP / .NET Local Users and Groups MMC
to change the password on the IWAM account to match.

More information on using the ADSUTIL.VBS command can be found in the
articles below:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q297989
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296851

If you have deleted or created a new login ID to be used instead of the
existing IWAM or IUSR account, you may need to grant the new account
permission to "Log on Locally." See the article below for more information:

www.iisfaq.com/default.asp?View=A324&P=128

If an application script or web page on your IIS web server is unable to
accessing files on another remote computer, you may need to determine which
login ID is being used by the IIS web server to run the script, and set up
an identical login ID and password for that account on the remote computer
[or in some cases, the Windows domain]. See the article below for more
information:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q207671

============

Info on enabling auditing:

=============

Note that to enable logging of access to files or registry settings, you
must both enable logging in the overall computer policy AND also add
auditing settings on individual folders or registry keys in the NTFS
security properties in Windows Explorer or the REGEDT32 registry editor.
[Using REGEDIT will not work.] To log file access, the files must be on an
NTFS-formatted partition.

Note also that to enable logging of security events on a Windows domain, you
must change the auditing policy on all domain controllers. Changing the
auditing policy on the computers in the domain enables logging of failed
logins to the computers using local accounts and would not necessarily log
attempts to log into the domain.

Consider changing the Windows event log settings to be appropriate for your
environment. Consider increasing the maximum log size to retain more
information. Be careful not to log too much, or you might find that your
logs contain only a few minutes or hours worth of data. Finally, check the
logs to be sure logs are really being captured.

For more information on enabling and configuring auditing, see the articles
below:

http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
    [look for the NSA Security Recommendation Guides for Windows 2000 and
also Group Policy]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
13w2kadc.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000, file
access settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
monitoring for unauthorized user access
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
http://www.labmice.net/troubleshooting/EventLog.htm

[Thanks to Thomas Deml and others]

===================

What are the minimum or default NTFS file permissions required for IIS,
and/or how can I restore them?

How should I configure secure NTFS file permissions to secure my web site
content?

A: More information is available in the following articles:

How to set secure NTFS Permissions on IIS directories and log files -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310361

Minimum NTFS file permissions required for IIS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q187506

============

"Guillermo Calderon" <gcalderonc@terrra.com.co> wrote in message
news:071101c28009$9f1bdea0$37ef2ecf@TKMSFTNGXA13...
I removed my web server from a domain and included it in a
workgroup.

I changed the default IUSR_ and IWAM_ for new accounts, I
gave them all the security rights needed.

Now I'm getting errors like "Unable to start a DCOM
Server" and "Access is denied. " related with Out-Of-
Process applications and IWAM account when I tried to load
a default page in the Default Web Site (Isolation Medium
Pooled). The error in Iexplorer is "Server Application
Error".

I tried to apply TechNet articles (in order to sync
account information in METABASE, SAM and COM+) but It
wasn´t succesful.

When I tried to modify the information about the old IWAM
account in "Component Services" I got an error related to
wrong domain; if I run synciwam.vbs from the command line
I got errors too.

I'm using Anonymous authentication.

Please help me

Guillermo



Relevant Pages

  • Re: Execute Access Forbidden
    ... I have selected SCRIPT ONLY and tried EXECUTABLES ... IUSR_computername account when executing web page scripts. ... Use the IIS MMC to look at the "Application Isolation" properties of the ... using the IWAM account if the "Application Isolation" setting for the script ...
    (microsoft.public.inetserver.iis.security)
  • Re: HTTP 401.1 - Unauthorized: Logon Failed
    ... What are the minimum or default NTFS file permissions required for IIS, ... I'm having a problem with the IUSR_computername or IWAM_computername account ... folder containing the troubled script files. ... using the IWAM account if the "Application Isolation" setting for the script ...
    (microsoft.public.inetserver.iis.security)
  • Re: lan file access with perl cgi scripts under iis 5.0
    ... this will probably involve adding a local IUSR account to the remote ... and setting IIS to not control the password for the anonymous iusr ... the IUSR account and not the IWAM account that is being denied access. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Changing the IWAM User name
    ... ASP.NET does not use the IWAM account. ... ASP.NET on IIS 5.0 uses the ... a common domain user for the IIS logon. ...
    (microsoft.public.inetserver.iis.security)
  • Re: iis user account and ssh
    ... Edit the account you would like to use. ... Now IIS will run this folder under the security context of the ... > command on a remote server. ... > to the iis account or how do i get the cgi program to execute the ...
    (comp.security.ssh)