Re: IWAM Out of sync

From: Brjann Brekkan (bbrekkan@hotmail.com)
Date: 10/30/02


From: "Brjann Brekkan" <bbrekkan@hotmail.com>
Date: Wed, 30 Oct 2002 23:15:45 +0100


Not sure if it is mentioned in any of the links below but after you set the
IWAM password, shouldn´t we run the SYNCIWAM.Vbs script from Adminscripts
folder?

I think I did this the last time: Change Password on account, change
password on components that run with IWAM, restart service, run script.
I've got my notes at work
Brjann Brekkan
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:#pICWeCgCHA.2092@tkmsftngp12...
> I assume you're logged in as administrator when you run these commands. I
> also assume you're synching the password in the Metabase with the password
> on the IWAM account in the Windows user database.
>
> I would probably enable file and registry access failure auditing for all
> the folders and drives on your system, to see what is going on in the
> Windows security event log. I would also try the ADSUTIL.VBS command as
> described below to get the IWAM password and try setting it. If you get
an
> error and you are logged in as an administrator, you could try
uninstalling
> and reinstalling IIS, and/or you could search for the error message you
> received at www.microsoft.com/support or
> www.google.com/advanced_group_search or www.google.com
>
> I'd also be curious to know whether the problem also happens when you
change
> the application isolation setting to Low.
>
> [There may also be other information or things to try in the links below]
>
> ============
>
> I'm having a problem with the IUSR_computername or IWAM_computername
account
> on my computer or IIS web server, or the account keeps getting locked out.
>
> A: IIS may be using the IWAM_computername account instead of the
> IUSR_computername account when executing web page scripts. If so, there
may
> be a problem with insufficient permissions or incorrect password on the
IWAM
> account, especially if you assigned permissions to the IUSR account
instead
> of the IWAM account.
>
> Use the IIS MMC to look at the "Application Isolation" properties of the
> folder containing the troubled script files. IIS runs application scripts
> using the IWAM account if the "Application Isolation" setting for the
script
> or the folder containing the script is set to "Medium" or "High."
>
> [If your web page scripts start working after changing this setting to
> "Low," then you have probably confirmed that you have a problem with the
> IWAM account as described below. If changing this setting does not fix
the
> problem, then the rest of this article may not apply to you and you should
> consider doing general .ASP troubleshooting using the link below instead:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309051 ]
>
> Like the IUSR account, a copy of the IWAM account password is stored in
the
> IIS metabase, so that IIS can log on as the IWAM account. IIS cannot log
on
> as IWAM and/or IUSR if the password in the IIS metabase does not match the
> actual password for that user ID in the Windows security database.
>
> The ADSUTIL.VBS command can be used to retrieve or change the IWAM and/or
> IUSR ID and/or password stored in the IIS metabase. For example, you may
> need to use the command "ADSUTIL GET" to get the IWAM password from the
> metabase, then use the Windows 2000 / XP / .NET Local Users and Groups MMC
> to change the password on the IWAM account to match.
>
> More information on using the ADSUTIL.VBS command can be found in the
> articles below:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q297989
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296851
>
> If you have deleted or created a new login ID to be used instead of the
> existing IWAM or IUSR account, you may need to grant the new account
> permission to "Log on Locally." See the article below for more
information:
>
> www.iisfaq.com/default.asp?View=A324&P=128
>
> If an application script or web page on your IIS web server is unable to
> accessing files on another remote computer, you may need to determine
which
> login ID is being used by the IIS web server to run the script, and set up
> an identical login ID and password for that account on the remote computer
> [or in some cases, the Windows domain]. See the article below for more
> information:
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q207671
>
>
>
> ============
>
> Info on enabling auditing:
>
> =============
>
> Note that to enable logging of access to files or registry settings, you
> must both enable logging in the overall computer policy AND also add
> auditing settings on individual folders or registry keys in the NTFS
> security properties in Windows Explorer or the REGEDT32 registry editor.
> [Using REGEDIT will not work.] To log file access, the files must be on
an
> NTFS-formatted partition.
>
> Note also that to enable logging of security events on a Windows domain,
you
> must change the auditing policy on all domain controllers. Changing the
> auditing policy on the computers in the domain enables logging of failed
> logins to the computers using local accounts and would not necessarily log
> attempts to log into the domain.
>
> Consider changing the Windows event log settings to be appropriate for
your
> environment. Consider increasing the maximum log size to retain more
> information. Be careful not to log too much, or you might find that your
> logs contain only a few minutes or hours worth of data. Finally, check
the
> logs to be sure logs are really being captured.
>
> For more information on enabling and configuring auditing, see the
articles
> below:
>
> http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
> [look for the NSA Security Recommendation Guides for Windows 2000 and
> also Group Policy]
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
> 13w2kadc.asp
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000,
file
> access settings
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
> monitoring for unauthorized user access
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
> http://www.labmice.net/troubleshooting/EventLog.htm
>
> [Thanks to Thomas Deml and others]
>
> ===================
>
> What are the minimum or default NTFS file permissions required for IIS,
> and/or how can I restore them?
>
> How should I configure secure NTFS file permissions to secure my web site
> content?
>
> A: More information is available in the following articles:
>
> How to set secure NTFS Permissions on IIS directories and log files -
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310361
>
> Minimum NTFS file permissions required for IIS:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q187506
>
>
> ============
>
> "Guillermo Calderon" <gcalderonc@terrra.com.co> wrote in message
> news:071101c28009$9f1bdea0$37ef2ecf@TKMSFTNGXA13...
> I removed my web server from a domain and included it in a
> workgroup.
>
> I changed the default IUSR_ and IWAM_ for new accounts, I
> gave them all the security rights needed.
>
> Now I'm getting errors like "Unable to start a DCOM
> Server" and "Access is denied. " related with Out-Of-
> Process applications and IWAM account when I tried to load
> a default page in the Default Web Site (Isolation Medium
> Pooled). The error in Iexplorer is "Server Application
> Error".
>
> I tried to apply TechNet articles (in order to sync
> account information in METABASE, SAM and COM+) but It
> wasn´t succesful.
>
> When I tried to modify the information about the old IWAM
> account in "Component Services" I got an error related to
> wrong domain; if I run synciwam.vbs from the command line
> I got errors too.
>
> I'm using Anonymous authentication.
>
> Please help me
>
> Guillermo
>
>



Relevant Pages

  • Re: IUSR_<machine_name> Default Group Membership
    ... Stop IIS ... Set the default IIS/IWAM anonymous account password. ... replace the x's with the IWAM user name! ... Microsoft Exchange 2000 between October 1 and November 16. ...
    (NT-Bugtraq)
  • Re: Execute Access Forbidden
    ... I have selected SCRIPT ONLY and tried EXECUTABLES ... IUSR_computername account when executing web page scripts. ... Use the IIS MMC to look at the "Application Isolation" properties of the ... using the IWAM account if the "Application Isolation" setting for the script ...
    (microsoft.public.inetserver.iis.security)
  • Re: Hacked NT/2K box
    ... A customer of mine is running IIS. ... account is using the domain admin account. ... >system level access is enough for everything. ... The main other part of IIS runs as IWAM, ...
    (Focus-Microsoft)
  • Re: IUSR & IWAM accounts
    ... >> changed the annoymous account web server used to IUSR_INTWEB01 in IIS ... so that IIS can log on as the IWAM account. ... > You should also consider enabling security auditing of failed file access ...
    (microsoft.public.win2000.security)
  • Re: HTTP 401.1 - Unauthorized: Logon Failed
    ... What are the minimum or default NTFS file permissions required for IIS, ... I'm having a problem with the IUSR_computername or IWAM_computername account ... folder containing the troubled script files. ... using the IWAM account if the "Application Isolation" setting for the script ...
    (microsoft.public.inetserver.iis.security)