Re: IWAM Out of sync

From: Brjann Brekkan (bbrekkan@hotmail.com)
Date: 10/30/02


From: "Brjann Brekkan" <bbrekkan@hotmail.com>
Date: Wed, 30 Oct 2002 23:15:45 +0100


Not sure if it is mentioned in any of the links below but after you set the
IWAM password, shouldn´t we run the SYNCIWAM.Vbs script from Adminscripts
folder?

I think I did this the last time: Change Password on account, change
password on components that run with IWAM, restart service, run script.
I've got my notes at work
Brjann Brekkan
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:#pICWeCgCHA.2092@tkmsftngp12...
> I assume you're logged in as administrator when you run these commands. I
> also assume you're synching the password in the Metabase with the password
> on the IWAM account in the Windows user database.
>
> I would probably enable file and registry access failure auditing for all
> the folders and drives on your system, to see what is going on in the
> Windows security event log. I would also try the ADSUTIL.VBS command as
> described below to get the IWAM password and try setting it. If you get
an
> error and you are logged in as an administrator, you could try
uninstalling
> and reinstalling IIS, and/or you could search for the error message you
> received at www.microsoft.com/support or
> www.google.com/advanced_group_search or www.google.com
>
> I'd also be curious to know whether the problem also happens when you
change
> the application isolation setting to Low.
>
> [There may also be other information or things to try in the links below]
>
> ============
>
> I'm having a problem with the IUSR_computername or IWAM_computername
account
> on my computer or IIS web server, or the account keeps getting locked out.
>
> A: IIS may be using the IWAM_computername account instead of the
> IUSR_computername account when executing web page scripts. If so, there
may
> be a problem with insufficient permissions or incorrect password on the
IWAM
> account, especially if you assigned permissions to the IUSR account
instead
> of the IWAM account.
>
> Use the IIS MMC to look at the "Application Isolation" properties of the
> folder containing the troubled script files. IIS runs application scripts
> using the IWAM account if the "Application Isolation" setting for the
script
> or the folder containing the script is set to "Medium" or "High."
>
> [If your web page scripts start working after changing this setting to
> "Low," then you have probably confirmed that you have a problem with the
> IWAM account as described below. If changing this setting does not fix
the
> problem, then the rest of this article may not apply to you and you should
> consider doing general .ASP troubleshooting using the link below instead:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309051 ]
>
> Like the IUSR account, a copy of the IWAM account password is stored in
the
> IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log
on
> as IWAM and/or IUSR if the password in the IIS metabase does not match the
> actual password for that user ID in the Windows security database.
>
> The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or
> IUSR ID and/or password stored in the IIS metabase. For example, you may
> need to use the command "ADSUTIL GET" to get the IWAM password from the
> metabase, then use the Windows 2000 / XP / .NET Local Users and Groups MMC
> to change the password on the IWAM account to match.
>
> More information on using the ADSUTIL.VBS command can be found in the
> articles below:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q297989
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296851
>
> If you have deleted or created a new login ID to be used instead of the
> existing IWAM or IUSR account, you may need to grant the new account
> permission to "Log on Locally." See the article below for more
information:
>
> www.iisfaq.com/default.asp?View=A324&P=128
>
> If an application script or web page on your IIS web server is unable to
> accessing files on another remote computer, you may need to determine
which
> login ID is being used by the IIS web server to run the script, and set up
> an identical login ID and password for that account on the remote computer
> [or in some cases, the Windows domain]. See the article below for more
> information:
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q207671
>
>
>
> ============
>
> Info on enabling auditing:
>
> =============
>
> Note that to enable logging of access to files or registry settings, you
> must both enable logging in the overall computer policy AND also add
> auditing settings on individual folders or registry keys in the NTFS
> security properties in Windows Explorer or the REGEDT32 registry editor.
> [Using REGEDIT will not work.] To log file access, the files must be on
an
> NTFS-formatted partition.
>
> Note also that to enable logging of security events on a Windows domain,
you
> must change the auditing policy on all domain controllers. Changing the
> auditing policy on the computers in the domain enables logging of failed
> logins to the computers using local accounts and would not necessarily log
> attempts to log into the domain.
>
> Consider changing the Windows event log settings to be appropriate for
your
> environment. Consider increasing the maximum log size to retain more
> information. Be careful not to log too much, or you might find that your
> logs contain only a few minutes or hours worth of data. Finally, check
the
> logs to be sure logs are really being captured.
>
> For more information on enabling and configuring auditing, see the
articles
> below:
>
> http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
> [look for the NSA Security Recommendation Guides for Windows 2000 and
> also Group Policy]
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
> 13w2kadc.asp
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000,
file
> access settings
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
> monitoring for unauthorized user access
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
> http://www.labmice.net/troubleshooting/EventLog.htm
>
> [Thanks to Thomas Deml and others]
>
> ===================
>
> What are the minimum or default NTFS file permissions required for IIS,
> and/or how can I restore them?
>
> How should I configure secure NTFS file permissions to secure my web site
> content?
>
> A: More information is available in the following articles:
>
> How to set secure NTFS Permissions on IIS directories and log files -
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310361
>
> Minimum NTFS file permissions required for IIS:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q187506
>
>
> ============
>
> "Guillermo Calderon" <gcalderonc@terrra.com.co> wrote in message
> news:071101c28009$9f1bdea0$37ef2ecf@TKMSFTNGXA13...
> I removed my web server from a domain and included it in a
> workgroup.
>
> I changed the default IUSR_ and IWAM_ for new accounts, I
> gave them all the security rights needed.
>
> Now I'm getting errors like "Unable to start a DCOM
> Server" and "Access is denied. " related with Out-Of-
> Process applications and IWAM account when I tried to load
> a default page in the Default Web Site (Isolation Medium
> Pooled). The error in Iexplorer is "Server Application
> Error".
>
> I tried to apply TechNet articles (in order to sync
> account information in METABASE, SAM and COM+) but It
> wasn´t succesful.
>
> When I tried to modify the information about the old IWAM
> account in "Component Services" I got an error related to
> wrong domain; if I run synciwam.vbs from the command line
> I got errors too.
>
> I'm using Anonymous authentication.
>
> Please help me
>
> Guillermo
>
>