Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
From: Vincent Polite (trinetgrinch@yahoo.com)
Date: 11/15/02
- Next message: davidmarq: "Secured and unsecured access"
- Previous message: renu: "prompts for username password dialog box"
- In reply to: Karl Westerholm [MS]: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Next in thread: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: trinetgrinch@yahoo.com (Vincent Polite) Date: 15 Nov 2002 10:59:30 -0800
Karl,
I am surfing directly to the testing directory. On the root I did
have both anonymous and basic authentication checked, so I removed
anonymous from there as well.
I then surfed to the website both from inside and outside my DSL
Router. The error message I got from my Internet Explorer browser
seemed a little different, in that it referred to the error message
referred to in this url:
http://support.microsoft.com/default.aspx?scid=kb;en-us;253667
I wasn't able to find ANYTHING in the event viewer that corresponded
to my failed attempts of logging into the website. <GROAN>
I'm sure that there is a clue in this somewhere... but i'll be damned
if I know what it is.
Vincent
karlwestonline@microsoft.com (Karl Westerholm [MS]) wrote in message news:<p2bO$TEjCHA.2340@cpmsftngxa08>...
> Based on the configuration we are using for this dir, (Basic
> authentication selected, anonymous & windows integrated *not* selected)
> there should be no access by the IUSR at all on the 'testing' VDIR.
>
> Now, it is possible that you are first hitting the root of the website
> just before browsing to the testing VDIR, and the root itself may have
> anonymous access enabled. If that was what was happening then we could
> maybe explain why we see the IUSR account in use.
>
> Can you reconfirm that the testing VDIR has *only* the Basic
> authentication option selected? Regardless of what else may be happening
> on the website, we have to first 100% confirm that there are no problems
> browsing to this VDIR as the local administrator account via Basic-only
> auth.
>
> As far as the router/firewall, as long as port 80 is opened we should be
> in good shape. The exchange of information that takes place between your
> browser & IIS to allow Basic to function takes place only over that port.
>
> -->Karl
>
>
>
> "Please do not send email directly to this alias. This is our online
> account name for newsgroup participation only."
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> You assume all risk for your use. © 2001 Microsoft Corporation. All rights
> reserved.
>
> --------------------
> | From: trinetgrinch@yahoo.com (Vincent Polite)
> | Newsgroups: microsoft.public.inetserver.iis.security
> | Subject: Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002
> = failure?
> | Date: 14 Nov 2002 11:05:50 -0800
> | Organization: http://groups.google.com/
> | Lines: 412
> |
> | Well, here's something wierder. I turned on Failure auditing for all
> | the events that you suggested, and I'm not getting any messages coming
> | into the Security Log for ANY of my login attempts via web browser or
> | Frontpage.
> |
> | Oh... waitaminute. I need to turn on auditing on the folder, too.
> | Hold on.
> |
> | OK. Everytime I attempt to login under Basic Authentication, no
> | matter what username I use, the Event Log registers: Event 560:
> | IUSR_blah account. Interestingly enough, in the log file there is a
> | single reference as <DOMAIN NAME>\IUSR_blah, but everywhere else in
> | the event log it is listed like a local user.
> |
> | In any case, the anonymous user impersonated by the IIS Server is the
> | one that seems to trigger all the entries. I don't know if this is
> | considered normal when you fail to authenticate, but I'm not getting
> | any specific reference to any of the accounts that I specifically used
> | to log in.
> |
> | Could my router (NAT/Firewall) somehow cause this? Does Basic Auth.
> | go over a different port than port 80? But I get this whether I use
> | the NETBIOS name of the box or the name based on DNS. This local box
> | is also the DNS server and has a correct local IP address entry for
> | the server...
> |
> | so... what would be the next step here?
> |
> | VP
> |
> |
> | karlwestonline@microsoft.com (Karl Westerholm [MS]) wrote in message
> news:<bb6fhN2iCHA.1880@cpmsftngxa08>...
> | > Hmmm....some odd results. So with the Basic-only auth, we are unable
> to
> | > get the local administrator account to logon/browse the simple ASP page
> | > through IIS? (local to the IIS box, that is?) The main test I wanted
> to
> | > confirm with this is that -- in the contect of the IIS5 machine's local
> | > administrator account -- we should have no problems at least browsing
> to
> | > the content.
> | >
> | > If this is possible, then our next step is to introduce the added
> | > complexity of attempting to physically connect & publish via FrontPage.
>
> | > But, if I am understanding your results, this does not seem to be
> taking
> | > place except when you enable Integrated auth?
> | >
> | > Are you sure that when you hit the IIS5 box and are prompted w/Basic
> | > auth that you are using the actual administrator account from the IIS5
> | > server? (and not, say, a domain administrator account?)
> | >
> | > Regardless, I would next say lets enable failure auditing for all
> | > events. To do this, go into the IIS server's administrative
> tools/local
> | > security policy MMC.
> | >
> | > Drill down in this MMC past 'security settings', 'local policy', &
> then
> | > into 'audit policy'. Double-click each entry you see there & then
> click
> | > the 'failure' checkbox. Once these are all set, go back to the
> top-level
> | > 'security settings' and right-click the icon you'll see there. (its a
> grey
> | > computer with a yellow padlock on it) From this menu, you should be
> able
> | > to select 'reload' to insure that these new auditing settings are
> actually
> | > enabled.
> | >
> | > Now, drill back down into the audit policy section: take note of
> the
> | > 'effective setting' vs. the 'local settings' column. If the effective
> | > setting is configured differently then the local settings column is,
> then
> | > this machine is a domain member & the audit policy we want to change is
> | > being set at the DC level & will need to be overridden on the DC.
> | >
> | > In any case, once this auditing is set then attempt to connect once
> more
> | > via Basic-only auth to our testing VDIR (also by windows machinename)
> and
> | > attempt to logon as local machine's 'administrator' account. If you
> still
> | > fail, you could try using 'IISmachinename\administrator', but the main
> | > purpose of this test is to see whay (if anything) we might turn up in
> the
> | > Event Viewer Security log.
> | >
> | > In the event of failed logins, we should see *some* failed event in
> | > security log (look for events with a 'lock' icon) that will help
> explain
> | > why our admin account is not working.
> | >
> | > Once we can get the admin account to successfully authenticate &
> browse
> | > then we can move on and add the FP connectivity/authentication tests to
> the
> | > mix for the admin user. Ultimately, assuming we can get that to work,
> we
> | > finally start using the actual garden-variety local users, (and/or
> domain
> | > user accounts) insure they have the appropriate NTFS & user rights to
> | > access content & logon locally, and (hopefully) finally get *them*
> happy as
> | > well.
> | >
> | > Note that if this IIS5 machine is a member of a domain, we may as
> well
> | > enable the same kind of auditing on the DC as we are doing on the IIS5
> | > server. At some point we *should* start seeing security log failure
> events
> | > either on the local machine or on the DC that can 100% be syncronized
> with
> | > our failed attempts to either logon & browse, and/or connect via
> FrontPage.
> | >
> | > -->Karl
> | >
> | >
> | >
> | >
> | > "Please do not send email directly to this alias. This is our online
> | > account name for newsgroup participation only."
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> | > You assume all risk for your use. © 2001 Microsoft Corporation. All
> rights
> | > reserved.
> | >
> | > --------------------
> | > | From: trinetgrinch@yahoo.com (Vincent Polite)
> | > | Newsgroups: microsoft.public.inetserver.iis.security
> | > | Subject: Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage
> 2002
> = failure?
> | > | Date: 13 Nov 2002 10:16:09 -0800
> | > | Organization: http://groups.google.com/
> | > |
> | > | Karl,
> | > |
> | > | Thanks for laying out some basic testing strategy. I appreciate it,
> | > | as I lost my discipline through frustration.
> | > |
> | > | That said, I wanted to post the results of my first test.
> | > |
> | > | I created a folder on my E: drive called E:\testing. In it I included
> | > | a default.asp page with a basic Response.Write("Hello World") type of
> | > | message.
> | > | I locked down the default.asp file and the E:\testing folder with NTFS
> | > | permissions only corresponding to the Administrator account and the
> | > | SYSTEM account.
> | > |
> | > | In IIS I took the virtual server that I was testing, and adding the
> | > | testing directory as a virtual directory, protected under the Basic
> | > | Authentication premise.
> | > |
> | > | Browsing to the web, under my current configuration, I am currently
> | > | forced to use a fully qualified domain name because of my use of host
> | > | headers. In browsing to the page, I am challenged by the Basic
> | > | authentication dialog box.
> | > |
> | > | Under Windows XP (remote test client), I am prompted for a
> | > | username/password. Under Win2K Server (local test client), I am
> | > | prompted for a username/password, and the dialog box notifies me that
> | > | the "Realm" being authenticated against is the name of my virtual
> | > | server.
> | > |
> | > | I attempted to login using the following combinations.
> | > |
> | > | <administrator accountname>
> | > | <domainname>\<administrator accountname>
> | > | <administrator accountname>@domainname
> | > | <administrator accountname>@domainname.com
> | > |
> | > | None of the username/password combinations were accepted.
> | > |
> | > | When I add the Integrated Windows Authentication tab, my internal
> | > | client validates, while my external client (behind the proxy server)
> | > | gives me the expected message that NT Challenge/Response is not
> | > | supported by this proxy.
> | > |
> | > | Turning everything back to Basic Authentication gives me the same
> | > | issues (no username/password combination is accepted)
> | > |
> | > | This time, I turn off ALL of my other virtual web servers and
> | > | host-header enabled sites, so the only thing that is on is the server
> | > | I am testing. This also allows me to surf to the site using the
> | > | NetBios name of the server.
> | > |
> | > | I attempt to access the protected directory using the following
> | > | conventions:
> | > |
> | > | http://
> | > | http://
> | > |
> | > | Both methods give me the same Basic Authentication dialog that I
> | > | cannot seem to bypass.
> | > |
> | > | Switching the server to accept Integrated Windows Authentication, and
> | > | everything works as expected.
> | > |
> | > | Hmmmmm.
> | > |
> | > | Vincent Polite
> | > | Not tearing his hair out because he's had his Mountain Dew this
> | > | morning. :)
> | > |
> | > | Any ideas?
> | > |
> | > | P.S. The event log under System, Application, or Security doesn't
> | > | show any events that show my failed attempts that I have been trying
> | > | to log into the server.
> | > |
> | > |
> | > |
> | > |
> | > |
> | > | karlwestonline@microsoft.com (Karl Westerholm [MS]) wrote in message
> news:<pOD2$griCHA.2368@cpmsftngxa09>...
> | > | > I've been where you are, and I can certainly sympathize! With
> every
> | > | > extra bit added to the configuration of this puzzle, the problem
> seems
> to
> | > | > become almost unsolvable. But, as someone once said, 'the truth is
> out
> | > | > there'! :)
> | > | >
> | > | >
> | > | > I would try to start with the simplest possible configuration
> and
> work
> | > | > upward:
> | > | >
> | > | > 1.) Create a brand-new test physical directory (called, say,
> c:\testing)
> | > | > local to your IIS5 server, and be careful to keep this physical
> directory
> | > | > outside of any other web content directories you have currently.
> | > | >
> | > | > 2.) Place a single *simple* HTML or ASP file in that dir
> (something
> like
> | > | > '<% response.write time %>', in other words) and Assign NTFS
> permissions on
> | > | > the file + dir to be 'administrator' & 'system' full control...no
> other
> | > | > NTFS perms.
> | > | >
> | > | > 3.) Map this physical dir to a virtual directory (called, say,
> 'testing'
> | > | > ;) under the website in question, enabling only Basic
> authentication.
> | > | >
> | > | > 4.) Prove that you can at least browse to this file in IE, are
> prompted to
> | > | > authenticate, and can use the local administrator account to
> successfully
> | > | > authenticate to it.
> | > | >
> | > | >
> | > | > Gotchas to be aware of:
> | > | >
> | > | > - Always have 'show friendly HTTP error messages' turned off in
> your
> test
> | > | > copy of IE. (IE's tools/internet options/advanced tab) If this
> option
> is
> | > | > checked on your test IE client, it may mask additional error
> messages
> you
> | > | > may be getting that are very significant.
> | > | >
> | > | >
> | > | > - When testing with IE or FrontPage local to the webserver for a
> baseline
> | > | > 'is this working yet?' reference, be sure to connect via
> windowsmachinename
> | > | > rather then IP or FQDN. That is to say, use 'http://machinename'
> to
> | > | > connect rather then 'http://1.2.3.4'.
> | > | >
> | > | > IE (and FrontPage too, if I am not mistaken) will interperate
> the
> | > | > presence of periods in the address as indicating the request *may*
> be
> | > | > Internet, and not Intranet. This may have the effect of remoting
> your
> | > | > request out through a configured Proxy even when you do not wish to
> do
> so.
> | > | >
> | > | >
> | > | > - Be careful to cycle the IISAdmin service whenever you are making
> security
> | > | > tweaks & NTFS-type permissions modifications. IIS5 will cache the
> | > | > credentials of a given user account for a period of time (15
> minutes, I
> | > | > believe) so if you do not cycle the IISAdmin service, or wait until
> the
> | > | > credentials are no longer cached, you may have made a tweak that
> actually
> | > | > fixed the problem but just do not realize it has worked.
> | > | >
> | > | > You can cycle IISAdmin from control panel/services, but I
> generally
> like
> | > | > to use the command-line:
> | > | >
> | > | > net stop iisadmin
> | > | > (followed by)
> | > | > net start w3svc
> | > | >
> | > | > Of course, this *also* has the effect of stopping all your
> websites
> on
> | > | > that box until the w3svc service is restarted. You can adjust the
> caching
> | > | > of credentials in IIS upward or downward, but setting it to too
> small a
> | > | > time can have implications to poor performance. See also:
> | > | > http://support.microsoft.com/default.aspx?scid=KB;en-us;152526&
> | > | >
> | > | >
> | > | > Now that I have some of those gotchas out of the way, lets get
> back
> to
> | > | > our testing VDIR. I am presuming that at this point browsing
> locally,
> | > | > authenticating as the admin user, and displaying simple content is
> working
> | > | > perfectly.
> | > | >
> | > | > Next, lets configure the server extensions on this
> VDIR....select
> the
> | > | > defaults.
> | > | >
> | > | > Once you have the extensions configured, attempt to connect to
> via
> | > | > FrontPage from the local machine. Can you connect? Does it prompt
> you
> for
> | > | > authentication? Do the admin user credentials that worked for
> browse
> allow
> | > | > you to connect fully w/FP as well?
> | > | >
> | > | > If not, keep careful track of any errors you get in the process
> and
> post
> | > | > them back here. Also, immediately after whatever FP-failure you
> | > | > experience, track down the IIS5 server's System & Application event
> viewer
> | > | > logs. Look for any red (stop) or yellow (warning) error messages
> that
> seem
> | > | > to be synced up with the failure....and post them as well! :)
> | > | >
> | > | > Regards,
> | > | > -->Karl
> | > | >
> | > | >
> | > | >
> | > | >
> | > | > "Please do not send email directly to this alias. This is our
> online
> | > | > account name for newsgroup participation only."
> | > | >
> | > | > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> | > | > You assume all risk for your use. © 2001 Microsoft Corporation. All
> rights
> | > | > reserved.
> | > | >
> | > | > --------------------
> | > | > | From: trinetgrinch@yahoo.com (Vincent Polite)
> | > | > | Newsgroups: microsoft.public.inetserver.iis.security
> | > | > | Subject: Basic Authentication + IIS 5 + Windows 2000 + Frontpage
> 2002
> | > =
> | > failure?
> | > | > | Date: 12 Nov 2002 16:17:27 -0800
> | > | > | Organization: http://groups.google.com/
> | > | > |
> | > | > | I have seen threads about this topic all over UseNet, so I wanted
> to
> | > | > | state my problem which may or may not have a unique twist.
> | > | > |
> | > | > | The setup:
> | > | > |
> | > | > | My web server is a Windows 2000 Server. It houses Exchange 2000
> and
> | > | > | runs IIS5 Web Services and FTP Service. From a website
> perspective, I
> | > | > | host (for personal reasons) about 30 different websites. These
> | > | > | websites are differentiated using host-headers, configured
> through the
> | > | > | Internet Services Manager.
> | > | > |
> | > | > | The websites are divided into 4 domains.
> | > | > |
> | > | > | *.domain1.com (20)
> | > | > | *.domain2.com (2)
> | > | > | hostname1.domain3.com
> | > | > | hostname2.domain4.com
> | > | > |
> | > | > | The last two entries are websites that I planned on hosting for
> some
> | > | > | friends. However, to avoid having all their network traffic
> getting
> | > | > | sent to my machine before the site was ready, I set up special
> | > | > | instances on the server.
> | > | > |
> | > | > | The web server itself is behind a Netgear Home Protection System
> on
> | > | > | the tail end of an ADSL Line. I have set up port forwarding for
> ports
> | > | > | 80 (HTTP), 443 (HTTPS on IIS), 25(SMTP), and the ports for my
> remote
> | > | > | control program. (I'm pretty sure FTP is set up as well)
> | > | > |
> | > | > | On all of the sites I have set up the Frontpage Server Extensions
> | > | > | circa 2002. On the majority of the sites, I have set up
> Sharepoint
> | > | > | Team Services.
> | > | > |
> | > | > | When I was using NTLM, I was able to connect to my sites and
> | > | > | authenticate with any password protected sites no problem. All
> the
> | > | > | sites worked perfectly, and I had nary a problem.
> | > | > |
> | > | > |
> | > | > | The problem:
> | > | > |
> | > | > | I wanted to work on a friends' site using the facilities/software
> I
> | > | > | had available at the office. I was going to use Frontpage 2002 to
> | > | > | edit this website, but my company's proxy server will not allow NT
> | > | > | Challenge/Response w/untrusted domains.
> | > | > |
> | > | > | Because I cannot convince the powers that be at my office to let
> me
> | > | > | use NT Challenge/Response against my web server, I felt a
> reasonable
> | > | > | alternative would be to change the authentication on the website
> to
> | > | > | "Basic Authentication."
> | > | > |
> | > | > | Once I made this change through the Internet Services Manager, I
> was
> | > | > | unable to use Frontpage to edit the site. The problem went beyond
> | > | > | Frontpage, as well. In order to make sure it wasn't my company's
> | > | > | proxy server, I tried to edit the site running Frontpage locally
> on
> | > | > | the server itself, and I couldn't validate any of my accounts.
> | > | > |
> | > | > | After perusing this newsgroup for about a week, i ran across the
> | > | > | following notions:
> | > | > |
> | > | > | 1) Make sure the accounts can log on locally to the server.
> | > | > | 2) Make sure that when logging on, use the servername\username
> format
> | > | > | for the username password prompt.
> | > | > | 3) Set a default domain equal to the domain of the account you are
> | > | > | using.
> | > | > | 4) Set a default domain equal to '\' which signifies all trusted
> | > | > | domains.
> | > | > |
> | > | > | Nothing works. At this point my brain is too numb to orchestrate
> the
> | > | > | test of just checking basic authentication against a protected
> page in
> | > | > | the website, but I'm pretty sure I can't get that to work as
> well.
> | > | > | Meaning, go into Explorer, remove permissions for a specific page
> | > | > | except for a specific user, and then try to browse to that page
> using
> | > | > | a web browser under basic authentication.
> | > | > |
> | > | > | Any ideas as to how I can approach this problem at this point?
> | > | > | Clearly I haven't tried everything, but I feel like I've exhausted
> | > | > | quite a few possibilities.
> | > | > |
> | > | > | Thanks,
> | > | > |
> | > | > | Vincent Polite
> | > | > | Internet Application Specialist about to rescind his title
> | > | > |
> | > |
> |
- Next message: davidmarq: "Secured and unsecured access"
- Previous message: renu: "prompts for username password dialog box"
- In reply to: Karl Westerholm [MS]: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Next in thread: Vincent Polite: "Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
