Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
From: Vincent Polite (trinetgrinch@yahoo.com)
Date: 11/13/02
- Next message: david: "Network logon screen"
- Previous message: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- In reply to: Karl Westerholm [MS]: "RE: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Next in thread: urbanbuda: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Reply: urbanbuda: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Reply: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: trinetgrinch@yahoo.com (Vincent Polite) Date: 13 Nov 2002 10:22:48 -0800
Karl,
One other thing. Is it unusual that I cannot log on to the actual
machine?
By this, I mean, usually, on the basic logon screen of a server, I see
a space for username and password, as well as domain. And domain will
be filled in with a list of domain names, including the name of the
local computer.
In my setup, I cannot log in to the local computer, only the domain.
This machine was my very first win2k server and is the first machine
running active directory.
VP
karlwestonline@microsoft.com (Karl Westerholm [MS]) wrote in message news:<pOD2$griCHA.2368@cpmsftngxa09>...
> I've been where you are, and I can certainly sympathize! With every
> extra bit added to the configuration of this puzzle, the problem seems to
> become almost unsolvable. But, as someone once said, 'the truth is out
> there'! :)
>
>
> I would try to start with the simplest possible configuration and work
> upward:
>
> 1.) Create a brand-new test physical directory (called, say, c:\testing)
> local to your IIS5 server, and be careful to keep this physical directory
> outside of any other web content directories you have currently.
>
> 2.) Place a single *simple* HTML or ASP file in that dir (something like
> '<% response.write time %>', in other words) and Assign NTFS permissions on
> the file + dir to be 'administrator' & 'system' full control...no other
> NTFS perms.
>
> 3.) Map this physical dir to a virtual directory (called, say, 'testing'
> ;) under the website in question, enabling only Basic authentication.
>
> 4.) Prove that you can at least browse to this file in IE, are prompted to
> authenticate, and can use the local administrator account to successfully
> authenticate to it.
>
>
> Gotchas to be aware of:
>
> - Always have 'show friendly HTTP error messages' turned off in your test
> copy of IE. (IE's tools/internet options/advanced tab) If this option is
> checked on your test IE client, it may mask additional error messages you
> may be getting that are very significant.
>
>
> - When testing with IE or FrontPage local to the webserver for a baseline
> 'is this working yet?' reference, be sure to connect via windowsmachinename
> rather then IP or FQDN. That is to say, use 'http://machinename' to
> connect rather then 'http://1.2.3.4'.
>
> IE (and FrontPage too, if I am not mistaken) will interperate the
> presence of periods in the address as indicating the request *may* be
> Internet, and not Intranet. This may have the effect of remoting your
> request out through a configured Proxy even when you do not wish to do so.
>
>
> - Be careful to cycle the IISAdmin service whenever you are making security
> tweaks & NTFS-type permissions modifications. IIS5 will cache the
> credentials of a given user account for a period of time (15 minutes, I
> believe) so if you do not cycle the IISAdmin service, or wait until the
> credentials are no longer cached, you may have made a tweak that actually
> fixed the problem but just do not realize it has worked.
>
> You can cycle IISAdmin from control panel/services, but I generally like
> to use the command-line:
>
> net stop iisadmin
> (followed by)
> net start w3svc
>
> Of course, this *also* has the effect of stopping all your websites on
> that box until the w3svc service is restarted. You can adjust the caching
> of credentials in IIS upward or downward, but setting it to too small a
> time can have implications to poor performance. See also:
> http://support.microsoft.com/default.aspx?scid=KB;en-us;152526&
>
>
> Now that I have some of those gotchas out of the way, lets get back to
> our testing VDIR. I am presuming that at this point browsing locally,
> authenticating as the admin user, and displaying simple content is working
> perfectly.
>
> Next, lets configure the server extensions on this VDIR....select the
> defaults.
>
> Once you have the extensions configured, attempt to connect to via
> FrontPage from the local machine. Can you connect? Does it prompt you for
> authentication? Do the admin user credentials that worked for browse allow
> you to connect fully w/FP as well?
>
> If not, keep careful track of any errors you get in the process and post
> them back here. Also, immediately after whatever FP-failure you
> experience, track down the IIS5 server's System & Application event viewer
> logs. Look for any red (stop) or yellow (warning) error messages that seem
> to be synced up with the failure....and post them as well! :)
>
> Regards,
> -->Karl
>
>
>
>
> "Please do not send email directly to this alias. This is our online
> account name for newsgroup participation only."
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> You assume all risk for your use. © 2001 Microsoft Corporation. All rights
> reserved.
>
> --------------------
> | From: trinetgrinch@yahoo.com (Vincent Polite)
> | Newsgroups: microsoft.public.inetserver.iis.security
> | Subject: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 =
> failure?
> | Date: 12 Nov 2002 16:17:27 -0800
> | Organization: http://groups.google.com/
> |
> | I have seen threads about this topic all over UseNet, so I wanted to
> | state my problem which may or may not have a unique twist.
> |
> | The setup:
> |
> | My web server is a Windows 2000 Server. It houses Exchange 2000 and
> | runs IIS5 Web Services and FTP Service. From a website perspective, I
> | host (for personal reasons) about 30 different websites. These
> | websites are differentiated using host-headers, configured through the
> | Internet Services Manager.
> |
> | The websites are divided into 4 domains.
> |
> | *.domain1.com (20)
> | *.domain2.com (2)
> | hostname1.domain3.com
> | hostname2.domain4.com
> |
> | The last two entries are websites that I planned on hosting for some
> | friends. However, to avoid having all their network traffic getting
> | sent to my machine before the site was ready, I set up special
> | instances on the server.
> |
> | The web server itself is behind a Netgear Home Protection System on
> | the tail end of an ADSL Line. I have set up port forwarding for ports
> | 80 (HTTP), 443 (HTTPS on IIS), 25(SMTP), and the ports for my remote
> | control program. (I'm pretty sure FTP is set up as well)
> |
> | On all of the sites I have set up the Frontpage Server Extensions
> | circa 2002. On the majority of the sites, I have set up Sharepoint
> | Team Services.
> |
> | When I was using NTLM, I was able to connect to my sites and
> | authenticate with any password protected sites no problem. All the
> | sites worked perfectly, and I had nary a problem.
> |
> |
> | The problem:
> |
> | I wanted to work on a friends' site using the facilities/software I
> | had available at the office. I was going to use Frontpage 2002 to
> | edit this website, but my company's proxy server will not allow NT
> | Challenge/Response w/untrusted domains.
> |
> | Because I cannot convince the powers that be at my office to let me
> | use NT Challenge/Response against my web server, I felt a reasonable
> | alternative would be to change the authentication on the website to
> | "Basic Authentication."
> |
> | Once I made this change through the Internet Services Manager, I was
> | unable to use Frontpage to edit the site. The problem went beyond
> | Frontpage, as well. In order to make sure it wasn't my company's
> | proxy server, I tried to edit the site running Frontpage locally on
> | the server itself, and I couldn't validate any of my accounts.
> |
> | After perusing this newsgroup for about a week, i ran across the
> | following notions:
> |
> | 1) Make sure the accounts can log on locally to the server.
> | 2) Make sure that when logging on, use the servername\username format
> | for the username password prompt.
> | 3) Set a default domain equal to the domain of the account you are
> | using.
> | 4) Set a default domain equal to '\' which signifies all trusted
> | domains.
> |
> | Nothing works. At this point my brain is too numb to orchestrate the
> | test of just checking basic authentication against a protected page in
> | the website, but I'm pretty sure I can't get that to work as well.
> | Meaning, go into Explorer, remove permissions for a specific page
> | except for a specific user, and then try to browse to that page using
> | a web browser under basic authentication.
> |
> | Any ideas as to how I can approach this problem at this point?
> | Clearly I haven't tried everything, but I feel like I've exhausted
> | quite a few possibilities.
> |
> | Thanks,
> |
> | Vincent Polite
> | Internet Application Specialist about to rescind his title
> |
- Next message: david: "Network logon screen"
- Previous message: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- In reply to: Karl Westerholm [MS]: "RE: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Next in thread: urbanbuda: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Reply: urbanbuda: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Reply: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
